Windows Analysis Report
IJr8RvvhZ3.exe

Overview

General Information

Sample Name:	IJr8RvvhZ3.exe
Analysis ID:	694560
MD5:	b77359bc85030f5f856b8010c0ddf6a8
SHA1:	5bff219a3d20203a239a23db69385f2611e67f5d
SHA256:	afd36e5d309ba8576b7e6a31ab1b3af4c3c0530052a2c31b97c688c0e2515005
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: IJr8RvvhZ3.exe	Virustotal: Detection: 87%	Perma Link
Source: IJr8RvvhZ3.exe	Metadefender: Detection: 86%	Perma Link
Source: IJr8RvvhZ3.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: IJr8RvvhZ3.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: IJr8RvvhZ3.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 25.3.mqsmvj.exe.3490000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.3.mqsmvj.exe.3790000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 38.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 36.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.mqsmvj.exe.32b0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.3.mqsmvj.exe.3130000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.3.mqsmvj.exe.3970000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.3.mqsmvj.exe.3a70000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.3.mqsmvj.exe.3930000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 38.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.3.mqsmvj.exe.3290000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.3.mqsmvj.exe.3b50000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 36.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.3.mqsmvj.exe.3470000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 27.3.mqsmvj.exe.3490000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F148400
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F144B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F144B20
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F145860
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1482B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F1482B0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1463E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F1463E0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F145670
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F146660
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1453D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F1453D0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1434F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F1434F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0F585860
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F584B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	3_2_0F584B20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5863E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	3_2_0F5863E0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5882B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	3_2_0F5882B0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	3_2_0F585670
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	3_2_0F586660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F588400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	3_2_0F588400
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5853D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	3_2_0F5853D0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5834F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	3_2_0F5834F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0F585860
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F584B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	11_2_0F584B20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5863E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	11_2_0F5863E0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5882B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0F5882B0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	11_2_0F585670
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F588400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0F588400
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5853D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	11_2_0F5853D0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5834F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	11_2_0F5834F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586682 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0F586682

Uses 32bit PE files

Source: IJr8RvvhZ3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IJr8RvvhZ3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: a:

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F146BA0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F146DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	3_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	3_2_0F586BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0F586BA0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F146FF0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F146FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	3_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	3_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0F586FF0

Found Tor onion address

Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5

May check the online IP address of the machine

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/$
Source: mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/4
Source: mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/9I)
Source: mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/CwX
Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I
Source: mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148050 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_0F148050

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IJr8RvvhZ3.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 6000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3780, type: MEMORYSTR

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F146660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	3_2_0F586660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586682 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0F586682

System Summary

Malicious sample detected (through community Yara rule)

Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: IJr8RvvhZ3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Detected potential crypto function

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F141C20	0_2_0F141C20
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F141020	0_2_0F141020
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F148520	0_2_0F148520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F581C20	3_2_0F581C20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F581020	3_2_0F581020
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F588520	3_2_0F588520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F581C20	11_2_0F581C20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F588520	11_2_0F588520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F581020	11_2_0F581020

Source: IJr8RvvhZ3.exe	Virustotal: Detection: 87%
Source: IJr8RvvhZ3.exe	Metadefender: Detection: 86%
Source: IJr8RvvhZ3.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File read: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Jump to behavior

Source: IJr8RvvhZ3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IJr8RvvhZ3.exe "C:\Users\user\Desktop\IJr8RvvhZ3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@21/1@15/0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F147490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_0F147490

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F147B70 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

0_2_0F147B70

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=63b5ce1c617217a5

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: IJr8RvvhZ3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: IJr8RvvhZ3.exe, type: SAMPLE
Source: Yara match	File source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.542136140.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.302753635.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.543716929.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.246598852.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598200905.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.583307214.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.518024199.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.415482571.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.373855926.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.437171123.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344076256.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.560904578.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.634796069.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.433686067.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.693057490.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.473313238.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.607979017.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.495173424.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.681141144.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.284909876.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.502607674.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.374541763.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.472905613.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.650224978.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.366415830.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.502804269.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.638106882.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.345391884.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.455550683.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.384391365.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.406139264.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.678365276.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.326861802.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.674598119.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.631210947.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.559852565.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.593533053.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.436990656.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.720225413.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IJr8RvvhZ3.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 6000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F148400

PE file contains an invalid checksum

Source: IJr8RvvhZ3.exe	Static PE information: real checksum: 0x120f7 should be: 0x1dffd
Source: mqsmvj.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1ad96

Drops PE files

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F142F50
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	3_2_0F582F50
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	11_2_0F582F50

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F146BA0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F146DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	3_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	3_2_0F586BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0F586BA0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node

Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F148400

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F143200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F143200

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F145FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585FF0 mov eax, dword ptr fs:[00000030h]	3_2_0F585FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585FF0 mov eax, dword ptr fs:[00000030h]	11_2_0F585FF0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F143C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F143C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F149200 cpuid

0_2_0F149200

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

0_2_0F147490

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
ipv4bot.whatismyipaddress.com	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: IJr8RvvhZ3.exe	Virustotal: Detection: 87%	Perma Link
Source: IJr8RvvhZ3.exe	Metadefender: Detection: 86%	Perma Link
Source: IJr8RvvhZ3.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: IJr8RvvhZ3.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: IJr8RvvhZ3.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 25.3.mqsmvj.exe.3490000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.3.mqsmvj.exe.3790000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 38.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 36.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.mqsmvj.exe.32b0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.3.mqsmvj.exe.3130000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.3.mqsmvj.exe.3970000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.3.mqsmvj.exe.3a70000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.3.mqsmvj.exe.3930000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 38.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.3.mqsmvj.exe.3290000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.3.mqsmvj.exe.3b50000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 36.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 35.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.3.mqsmvj.exe.3470000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 27.3.mqsmvj.exe.3490000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.mqsmvj.exe.f580000.0.unpack	Avira: Label: TR/Dropper.Gen

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F148400
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F144B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F144B20
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F145860
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1482B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F1482B0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1463E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F1463E0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F145670
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F146660
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1453D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F1453D0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F1434F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F1434F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	3_2_0F585860
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F584B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	3_2_0F584B20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5863E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	3_2_0F5863E0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5882B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	3_2_0F5882B0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	3_2_0F585670
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	3_2_0F586660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F588400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	3_2_0F588400
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5853D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	3_2_0F5853D0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F5834F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	3_2_0F5834F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0F585860
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F584B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	11_2_0F584B20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5863E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	11_2_0F5863E0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5882B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0F5882B0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	11_2_0F585670
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F588400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0F588400
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5853D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	11_2_0F5853D0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F5834F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	11_2_0F5834F0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586682 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0F586682

Uses 32bit PE files

Source: IJr8RvvhZ3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IJr8RvvhZ3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File opened: a:

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F146BA0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F146DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	3_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	3_2_0F586BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0F586BA0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F146FF0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F146FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	3_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	3_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0F586FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0F586FF0

Found Tor onion address

Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5

May check the online IP address of the machine

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/63b5ce1c617217a5
Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: mqsmvj.exe, 0000000C.00000002.343769957.0000000000838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/$
Source: mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/4
Source: mqsmvj.exe, 00000019.00000002.501583638.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/9I)
Source: mqsmvj.exe, 0000000E.00000002.373523162.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/CwX
Source: mqsmvj.exe, 0000000B.00000002.327597151.000000000093A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I
Source: mqsmvj.exe, 0000000C.00000002.343812574.0000000000873000.00000004.00000020.00020000.00000000.sdmp, mqsmvj.exe, 0000000C.00000003.343418273.0000000000873000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: IJr8RvvhZ3.exe, 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, mqsmvj.exe, 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, mqsmvj.exe, 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

0_2_0F148050

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.344084967.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.406166723.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598229388.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257994631.000000000F152000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.473021592.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298139854.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.638125851.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.720286366.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.328015412.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.543807830.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.559901286.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.502628191.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.437026618.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.374552502.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.681251272.000000000F592000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IJr8RvvhZ3.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 6000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3780, type: MEMORYSTR

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F146660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	3_2_0F586660
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586682 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0F586682

System Summary

Malicious sample detected (through community Yara rule)

Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: IJr8RvvhZ3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: IJr8RvvhZ3.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Detected potential crypto function

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F141C20	0_2_0F141C20
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F141020	0_2_0F141020
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F148520	0_2_0F148520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F581C20	3_2_0F581C20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F581020	3_2_0F581020
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F588520	3_2_0F588520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F581C20	11_2_0F581C20
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F588520	11_2_0F588520
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F581020	11_2_0F581020

Source: IJr8RvvhZ3.exe	Virustotal: Detection: 87%
Source: IJr8RvvhZ3.exe	Metadefender: Detection: 86%
Source: IJr8RvvhZ3.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File read: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Jump to behavior

Source: IJr8RvvhZ3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IJr8RvvhZ3.exe "C:\Users\user\Desktop\IJr8RvvhZ3.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe "C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe"

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@21/1@15/0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

0_2_0F147490

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

0_2_0F147B70

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=63b5ce1c617217a5

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: IJr8RvvhZ3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: IJr8RvvhZ3.exe, type: SAMPLE
Source: Yara match	File source: 23.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IJr8RvvhZ3.exe.3210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.mqsmvj.exe.32b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.mqsmvj.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.mqsmvj.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.mqsmvj.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.mqsmvj.exe.32b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.mqsmvj.exe.3bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.mqsmvj.exe.3970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.mqsmvj.exe.3a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.mqsmvj.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.mqsmvj.exe.3930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.mqsmvj.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.mqsmvj.exe.2fb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.mqsmvj.exe.3930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.mqsmvj.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.mqsmvj.exe.3a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.mqsmvj.exe.3470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.mqsmvj.exe.3790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mqsmvj.exe.2fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.mqsmvj.exe.3970000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.mqsmvj.exe.3490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.mqsmvj.exe.3470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.mqsmvj.exe.3bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.IJr8RvvhZ3.exe.3210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IJr8RvvhZ3.exe.f140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.mqsmvj.exe.3490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.mqsmvj.exe.3b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.0.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mqsmvj.exe.f580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.542136140.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.471429233.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.302753635.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.543716929.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.246598852.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598200905.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.583307214.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.518024199.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.415482571.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.373855926.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.437171123.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344076256.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.321306914.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.560904578.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.634796069.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.433686067.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.501007155.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.693057490.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.473313238.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.607979017.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.435943163.0000000003930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.495173424.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.681141144.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.284909876.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.596521661.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.502607674.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.374541763.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.328006726.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.472905613.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.650224978.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.366415830.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.542421272.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.502804269.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.638106882.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.373224342.00000000032B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.345391884.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.455550683.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.384391365.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.406139264.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.678365276.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.678519196.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.326861802.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.343391224.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.674598119.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.631210947.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257988090.000000000F14A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.403183321.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.298127638.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.296444653.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.559852565.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.557904847.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.593533053.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.636841128.0000000003970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.436990656.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.720225413.000000000F58A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.257187894.0000000003210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.716539661.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IJr8RvvhZ3.exe PID: 732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 2564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 4480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 5768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 6000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mqsmvj.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F148400

PE file contains an invalid checksum

Source: IJr8RvvhZ3.exe	Static PE information: real checksum: 0x120f7 should be: 0x1dffd
Source: mqsmvj.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1ad96

Drops PE files

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qwipuxgrdpk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tlrxymtwiqr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce soasnzfwfwv	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xxjrkojdmxk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xbugmifmcap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce bahswixbtvj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce dpmkfuaielt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce eeukvfrmhuc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce yzthpvkcmuu	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ponrvbljnrm
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mqqawysoqgr
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zutkqlfvbho
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zmiqihkfrbh
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rpklcocahbn

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F142F50
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	3_2_0F582F50
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	11_2_0F582F50

Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F146BA0
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F146DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F146DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	3_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	3_2_0F586BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0F586DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F586BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0F586BA0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	API call chain: ExitProcess graph end node

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F148400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F148400

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F143200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F143200

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Code function: 0_2_0F145FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F145FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 3_2_0F585FF0 mov eax, dword ptr fs:[00000030h]	3_2_0F585FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Code function: 11_2_0F585FF0 mov eax, dword ptr fs:[00000030h]	11_2_0F585FF0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F143C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F143C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Code function: 0_2_0F149200 cpuid

0_2_0F149200

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\mqsmvj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\IJr8RvvhZ3.exe

0_2_0F147490

ID:	694560
Product:	CloudBasic
Start time:	23:50:56
Start date:	31.08.2022
Sample:	IJr8RvvhZ3.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b77359bc85030f5f856b8010c0ddf6a8
SHA1:	5bff219a3d20203a239a23db69385f2611e67f5d
SHA256:	afd36e5d309ba8576b7e6a31ab1b3af4c3c0530052a2c31b97c688c0e2515005
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
IJr8RvvhZ3.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report IJr8RvvhZ3.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
IJr8RvvhZ3.exe