Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Recovery\dwm.exe |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Recovery\RCX67AA.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Program Files (x86)\Google\RCX75E9.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Recovery\RCX786B.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Users\user\Desktop\RCX6567.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Recovery\RCX6C11.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Recovery\services.exe |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Recovery\sihost.exe |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Avira: detection malicious, Label: HEUR/AGEN.1310064 |
Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack |
Malware Configuration Extractor: DCRat {"SCRT": "{\"b\":\"-\",\"B\":\"^\",\"1\":\",\",\"a\":\"@\",\"I\":\" \",\"2\":\";\",\"T\":\"&\",\"L\":\"<\",\"z\":\"~\",\"j\":\"%\",\"M\":\"$\",\"w\":\"!\",\"S\":\"`\",\"y\":\"_\",\"F\":\"|\",\"k\":\"(\",\"J\":\"#\",\"u\":\")\",\"W\":\"*\",\"n\":\".\",\"O\":\">\"}", "PCRT": "{\"U\":\"(\",\"J\":\"&\",\"M\":\"#\",\"N\":\"!\",\"G\":\",\",\"C\":\"~\",\"Y\":\";\",\"H\":\"-\",\"R\":\".\",\"D\":\" \",\"B\":\"%\",\"p\":\"<\",\"W\":\"$\",\"h\":\")\",\"I\":\"|\",\"F\":\"^\",\"5\":\"_\",\"Q\":\"*\",\"Z\":\">\",\"n\":\"`\",\"e\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ePGv71Xi6eHATgLCXbMW", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 1, "AUR": 1, "AURD": "{C:}/Program Files/WinRAR", "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"} |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
ReversingLabs: Detection: 81% |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
ReversingLabs: Detection: 81% |
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
ReversingLabs: Detection: 81% |
Source: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Recovery\dwm.exe |
ReversingLabs: Detection: 81% |
Source: C:\Recovery\dwm.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Recovery\services.exe |
ReversingLabs: Detection: 81% |
Source: C:\Recovery\services.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Recovery\sihost.exe |
ReversingLabs: Detection: 81% |
Source: C:\Recovery\sihost.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
ReversingLabs: Detection: 81% |
Source: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe |
ReversingLabs: Detection: 81% |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Joe Sandbox ML: detected |
Source: C:\Recovery\dwm.exe |
Joe Sandbox ML: detected |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Joe Sandbox ML: detected |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Joe Sandbox ML: detected |
Source: C:\Recovery\services.exe |
Joe Sandbox ML: detected |
Source: C:\Recovery\sihost.exe |
Joe Sandbox ML: detected |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Joe Sandbox ML: detected |
Source: Mt6QkZnVbc.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
Directory created: C:\Program Files\Windows Portable Devices\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
Directory created: C:\Program Files\Windows Portable Devices\5d095569012eb4 |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
Directory created: C:\Program Files\Windows Portable Devices\RCX7115.tmp |
Jump to behavior |
Source: Mt6QkZnVbc.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: Malware configuration extractor |
URLs: http://a0941979.xsph.ru/@zd3bk5Wa3RHb1FmZlR0X |
Source: Yara match |
File source: Mt6QkZnVbc.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED |
Source: Yara match |
File source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Source: Yara match |
File source: C:\Recovery\RCX786B.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Source: Yara match |
File source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Recovery\RCX67AA.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Recovery\sihost.exe, type: DROPPED |
Source: Yara match |
File source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Recovery\dwm.exe, type: DROPPED |
Source: Yara match |
File source: C:\Recovery\RCX6C11.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED |
Source: Yara match |
File source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Source: Yara match |
File source: C:\Recovery\services.exe, type: DROPPED |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.00000000032D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/Vh5j3kta |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C316000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/odirmogram |
Source: Mt6QkZnVbc.exe, type: SAMPLE |
Matched rule: DCRat payload Author: ditekSHen |
Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Recovery\RCX786B.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Recovery\RCX67AA.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Recovery\sihost.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Recovery\dwm.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Recovery\RCX6C11.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: C:\Recovery\services.exe, type: DROPPED |
Matched rule: DCRat payload Author: ditekSHen |
Source: Mt6QkZnVbc.exe, Ba5.cs |
Long String: Length: 469152 |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\SKB\LanguageModels\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe\:Zone.Identifier:$DATA |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\SKB\LanguageModels\5d095569012eb4 |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe\:Zone.Identifier:$DATA |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\ServiceProfiles\LocalService\Desktop\7ccfebd9e92364 |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\SKB\LanguageModels\RCX6E93.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
File created: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
Code function: 0_2_00007FFD9B8790B4 |
0_2_00007FFD9B8790B4 |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
Code function: 0_2_00007FFD9B88309D |
0_2_00007FFD9B88309D |
Source: C:\Users\user\Desktop\Mt6QkZnVbc.exe |
Code function: 0_2_00007FFD9B870F80 |
0_2_00007FFD9B870F80 |
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Code function: 13_2_00007FFD9B8B0F88 |
13_2_00007FFD9B8B0F88 |
Source: C:\Program Files (x86)\Windows Mail\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe |
Code function: 15_2_00007FFD9B8A5141 |
15_2_00007FFD9B8A5141 |
Source: C:\Recovery\dwm.exe |
Code function: 18_2_00007FFD9B890F88 |
18_2_00007FFD9B890F88 |
Source: C:\Recovery\dwm.exe |
Code function: 19_2_00007FFD9B8A0F88 |
19_2_00007FFD9B8A0F88 |
Source: C:\Recovery\services.exe |
Code function: 22_2_00007FFD9B8A5141 |
22_2_00007FFD9B8A5141 |
Source: C:\Recovery\services.exe |
Code function: 24_2_00007FFD9B875141 |
24_2_00007FFD9B875141 |
Source: C:\Recovery\sihost.exe |
Code function: 35_2_00007FFD9B895141 |
35_2_00007FFD9B895141 |
Source: C:\Recovery\sihost.exe |
Code function: 36_2_00007FFD9B8B5141 |
36_2_00007FFD9B8B5141 |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe |
Code function: 37_2_00007FFD9B8A5141 |
37_2_00007FFD9B8A5141 |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe |
Code function: 38_2_00007FFD9B895141 |
38_2_00007FFD9B895141 |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe |
Code function: 39_2_00007FFD9B8A5141 |
39_2_00007FFD9B8A5141 |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1834404756.000000001C5F0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833776233.000000001C5E0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameRegEditorPlugin.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831177564.000000001BBE0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1821121468.0000000013454000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename$ vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1835516693.000000001C610000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameUSBSpread.dll4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1840828053.000000001C7CC000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameLpfieQBsDPgEKgg.exeD vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003B79000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameniVD4fdxO48.exe vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003950000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameniVD4fdxO48.exeD vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1834833653.000000001C600000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1838999865.000000001C640000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833595298.000000001C3D0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832904401.000000001C390000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename( vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1854263821.000000001C8C7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameojIckCGKeaTDDtL0f@ vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000000.1690631223.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831005329.000000001BBA0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilename$ vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832340256.000000001C2F8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFileNamew vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1836549677.000000001C620000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831099502.000000001BBC0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameBSoDProtection.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1832955052.000000001C3A0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameMiscInfoGrabber.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.0000000003A67000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833548960.000000001C3C0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenamePerformanceCounter.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831274570.000000001BC10000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1833461058.000000001C3B0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameOBSGrabber.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1814092338.00000000034F9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1838896721.000000001C630000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831129714.000000001BBD0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe, 00000000.00000002.1831243375.000000001BC00000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameCrashLogger.dclib4 vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe |
Binary or memory string: OriginalFilenamekOqIuwMEeO9OzX.exe@ vs Mt6QkZnVbc.exe |
Source: Mt6QkZnVbc.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: Mt6QkZnVbc.exe, type: SAMPLE |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: 0.0.Mt6QkZnVbc.exe.ec0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Windows\SKB\LanguageModels\RCX6E93.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\UserOOBEBroker.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Windows\ServiceProfiles\LocalService\Desktop\RCX73C5.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Recovery\RCX786B.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Program Files (x86)\Windows Mail\RCX69BF.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Recovery\RCX67AA.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Program Files (x86)\Google\RCX75E9.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Recovery\sihost.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Program Files\Windows Portable Devices\RCX7115.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Recovery\dwm.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Recovery\RCX6C11.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Users\user\Desktop\RCX6567.tmp, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Program Files (x86)\Google\BxpXDwLzzgPDKkwHFtsUbGgAjn.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: C:\Recovery\services.exe, type: DROPPED |
Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
Source: Mt6QkZnVbc.exe, Q69.cs |
Cryptographic APIs: 'TransformBlock' |
Source: Mt6QkZnVbc.exe, Q69.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: Mt6QkZnVbc.exe, Q69.cs |
Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock' |
Source: Mt6QkZnVbc.exe, 277.cs |
Base64 encoded string: 'H4sIAAAAAAAEAFXSXZOaMBQG4B/UG7OduutlQYFkBUogR+AO8YNg1O3gqvTXNywvM+0FQ545LycnGRb0UnfeuZxzVzrCXZso2DblOdZvM/WfQ0r0Q/OFcPNZlBe+k66PStdG+tt7Oat724dI8/qj5XXj7xonqFqRFya68Pp24XPeSz8ae2pOSfpjU+WLvjbPTWV7bRvxvbyLQN1nl3j5lXdlSsOeaTjnWpF34t2qtXOwxLU9+mvLVURZZtfsa82UzZZ/npvibGcIxEr+60h6Mhz2rinTDUvCnU9Oo8qXk7951u0ucKi8HUkqouwgWLISOtbwcG5t9wi8FU138NM+dsbc2Hdn30f4E/7GR1fwb1jCB+QZH72HfdTfYAF/4PsrfILzKQ8/YAO703zwCv6EU/gGc/gVLqfzYJ4l3KEewA0cwy0cwWf4Hb7CZP063HVi1NIxvOPpQT/ML/vE+sHs3Xtru16PNlv4HXUaTTDtRjOOfDram/IVfEBdIp/j+z3qBfIK/dGPob8nkMd8BBv0N1P/qR/O403nQd7D/CxGPkQe+9E0fwIXMO6DkDeY3ySYZ7ovm2f74d9V9p/ORL//C61hzBDwAwAA', 'H4sIAAAAAAAEAA3OUQtDQBwA8K/y153LFroyajkiFk+KotkDV2dz9yCakgf57NvvE/yCoPyoWAcPkkZpCtpOr9elsbJDbwGZWA5N8UU+Npa83GpbXMZMnNJmriDhXpJQe/hsm1NBqzxSsw79aMAKyVWDw4rMqdoh47wg7bM5I1WkL6+jzEQ2mztH3FweOgbB1EixvPfMi/OByul/4RhQ//4B4kpVrJwAAAA=' |
Source: Mt6QkZnVbc.exe, kJk.cs |
Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA==' |
Source: Mt6QkZnVbc.exe, Ba5.cs |
Base64 encoded string: 'H4sIAAAAAAAEAOy9W4vjuhYu+lcifEE2jvAlNDPEW6Qf/FSBFNiIPCl2ImgqlimqKl1JhZDfvseQ5FTVXL0We++5OedwWA+hOyVbl3H5xkVDyv9I2+s8beigD3XJRX0Sool4L2Ld1OWcdiTS/svZ3/XngR61Xvpbv75o2vm62ouMLhIu6ban3aP2m9/hoN5UxV+42D2Jzfqj1/sHclhcrtLvxHS50brb7vtFqTZdqGT3SuTynQux/XnoQt7UW+Kr7V4sTrNUdGJDPq5DdyONf3pOY0/7fkKyOilzUcsJzC/fvejKy/ba/83p7nAemgXzu0L79SbKuyYqdr4Q69OzX+d9Sjs23U3/fXvcl9AeDss1rlc3u4Nq68mZdpyndMX7bhMKjwaiey/9+oe8CK6n/OPqL29R779FBXuKBnrxfPWW+XXxs+3CchP/0GIZZn5TqESsw4bSLO2eS9+/eEPXsSam834ZlkPzElaCl5vmY1Z1ayX8c6WXa110NKPdA6ma7fOf6J2sj6WA8YZFfh68g27FkSVAv97PkB46V6VO6Tkd6I8t3REuvBfdk1DD89tURLplmzLbr7N/y8/6yhIvgf7fwox1wbQ76nQP74sw2AgiB+YHsCydN6Wu6j44sE2Y7GpyWWSzfheqyf5FUyJV1hxD7RG1aTY6M+s/lql4LAdRbXuPlUAfKRmRDdts0y6B9Z/6vltHSfdDyyXPfP+tpEsdPq2fqsP1LdXXQNL4v5//fv77+X/+Ixmtzf8z/J6q2/8H5vTfz38//3/5MJnuv35P9zTOQ0ojSelVVt1N9osgq+pAtDHTIg4jGovQPEtBH7v7u7yN21KY9x/g/Q50dSqr/U0NNAB7HURD3HJxH6f+Og92Yfg+k35MoP+teZ/6iUx5IAUPVMECPcQs9GOhaPwjTNVBUiZlHwfKh0/xbU0ZtD/B3KayX95UvghExgKlYRzoH94/X2ncyWo9lXQJeCICAe8R+By/0UbA/AFvhG/mdx7iAMZ/hfensP4nGB/ex/ZFQHIWBLB+4sczSuObmXeqJl/XGBzgXz8+wPunMOUHmN8V8Uy1QF/KAmLpi+1v0D+F/qEPeCetv64N158CfbisiATe3een4X2gP4tw/ZQ29/f7+u88/3f0wfcLN7/67++rTdxK6J/RuIDvBD4VzB/aGtcvMzSUKD8pB/oS6L++Se0b/iF9Qru+zMpXDfLl3dRG3N8//wdZJaO8fv17uvrP8t2bf1//+mhu+nL/e2zWh/SD+akp0K+B+cH6iYgJp3ED86uN/PXczE9rZt7d9nGR/es48IyhQaisfIfh9/H//DG8Veb/KH/hf1gHrl073QlRvv7fx43/fv7zhwEusTJdVXceTpdTiJ+E0v5WHzyIvzzEjzeIP9YYz4m+vlwTtl38sT96+F8f2+prtCH/2pYqAPI4CQ40iAC/Sc9Qp2OZqVuUcsCO+nSF7xngkobvYcVD1cYJrGWiaVOE9vlrBu8GghUhte9reJ4D5pE+nu038VULuiBCsKhnp6uOe+ULqSl8T3cPgAHxMVc3Jr03Ualq7rMJge8csADm8xDB+4Cj1zBdFDJt0sq8j+P7MH6d7hN2wPlxKlYqp+KY8gbWkwFO1mwTr0KxD449PeP3COfTxlewQV/aBT5/Me0VO73B+yKrWyIJk5/vX0NdA0bQAtZfaor0alrWx7IE7BA6nswrrxY5fd367PE47KQ41M+MElgfb0ihbuWnrQOdBRv4yQf57XsfH+SX72pav8ffn7/Y51lBcm+b5ov3UO6eOOYXcuWHjZ8usu6Jb2AFCcTvB7GBd32D332cXu+85/i9Rcw5gl0Xhl/An6oOgYch8NADenJ4ZqV8GuBHAD3Abks17SaAO5Ow8ibAr6nMeEV88SoAw8AuFyTdSUXBIGcU5U+qAugJdilMG5QP/CA/nkFekH/AyzjklK7ceI+ssePNfTsefL8xH2xazwqgdwPYN8pjESVg91OQhyx+FyljUjdg6+JQUPrg+jvA/01/R9dfcKGS+DWsnUN7Z9dPRWnsfh+Hbv6BGCgHOwd465vvxH6fLeB5RukCxiMw9hTfE6l6c++LsuoQlxvQDw6yKso+npjvKTv9GuIK/uaTjNvxU5gr0B50AsaphZT1DWxKGFn9wc+DzngA+lCj/SA6PpRm/PhoxxeNzlQgNNCzAv2T9RT0EeiF+gbyM8QTIegV348yinb6wcpRM9qYibSyyYyM2L/dgNbYX1ql8H/4G+gzyjvKTIjzAZrA/Be4vkeVc/Cl6pqn7CBBP3E+QWPeF2fQB4H8BaxRGW2lFg2uT7v+YH1ctRRtGtCLIh6APaMwJmMGNze2v8g3/UmcX4ayi35H2kgpRSM0NWsh9++gj6AfQN93lbBH0Ncr4M8zQ/wQMcpLJYShl5G/YNJJLgBP0tjQH+VRIf0p6AK1eMclexfAn |