Source: xXQ39a5f9EJP.exe, 00000000.00000002.2721166545.0000000000963000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: xXQ39a5f9EJP.exe, 00000000.00000002.2721166545.00000000008F6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabRead |
Source: xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 00000000.00000002.2722186865.000000000292B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2724541084.000000001B1C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2724197817.000000001B054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2721545621.0000000000BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 00000000.00000002.2721166545.0000000000963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2722186865.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B888346 |
0_2_00007FFD9B888346 |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B8890F2 |
0_2_00007FFD9B8890F2 |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B8830E2 |
0_2_00007FFD9B8830E2 |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B88FFE0 |
0_2_00007FFD9B88FFE0 |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B88FF58 |
0_2_00007FFD9B88FF58 |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B88DE0D |
0_2_00007FFD9B88DE0D |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B88C56F |
0_2_00007FFD9B88C56F |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B89DD00 |
0_2_00007FFD9B89DD00 |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B88FBFA |
0_2_00007FFD9B88FBFA |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Code function: 0_2_00007FFD9B88F460 |
0_2_00007FFD9B88F460 |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: xXQ39a5f9EJP.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 00000000.00000002.2722186865.000000000292B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2724541084.000000001B1C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2724197817.000000001B054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2721545621.0000000000BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 00000000.00000002.2721166545.0000000000963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2722186865.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Task.cs |
Task registration methods: 'RegisterChanges', 'CreateTask' |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskService.cs |
Task registration methods: 'CreateFromToken' |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: xXQ39a5f9EJP.exe, Settings.cs |
Base64 encoded string: 'quD89VklbLlWuXA8KTZXqzNYbW24Nfz7n7hOk1vOwu0lCUiDSdtLexUBAYLjNYlz6c7Mcx77B5oFBswiOvcoMQ==', 'ZOqRNr8kUQheezl6G9UcGpZEVSIvoRdQZQ0sCNk9a7W5exAmHcP6VkDgMa3Q5wxLpXge1eCVQ1BOI1J62syVbXaEmfbLREe9lwsi0Lmh95k=', 'ndWrB5bSaroCSX8InKS8uc1A/8TUgGdRwEBU7FU+BR5SjDDc7V6u+Dz5WmDKkdrrLSL/H2wm/+RXiC7riMX4/QT1SPs6OrIoLDZdhWMhjcU=', 'kZCc6gfvNQEpzD5mm0BTPaiSspTLCbLSSWsxDbXLcGVftSVwr1UXxQqu9+o1JcaHXqwrwnzHla18HC1lSluswfSmURjA12xKX0iBq3mHasg4ES2JQNFYo62LQSVvJXdsrmLXAEzd60YM7hZcGo5+y241zOLhA7o6B0J8A2aQj/T/r3j9APZQqEZhgBKKrMVoZCzGoymj+bu600yCV7fMQprFRzn15FfnJx5D1ilp7JTEN11hAvdWlo3KPpRZVIAlRX8cG56sLe9hxQsy9S8o0xSJvg8rVY9xnMqpox+cxL64aj205EWlepJE0O9+1gISnlJybcSBjs8o7QWKp4UWwaZxd2OyvhrpfXkqZdTn1SFwwLO3f7ElC45JrhvMUVLBkAQytJvsutiHwAMcWtryDdBVu1qNLtge9Nl90yk6uTzRQTUciNukVuHe+a37BPTOM+dmXTLPEriAvnAjgW80U1sht90u+zegLOWnqxAEClyUlmg5pbp69VIf/ZANInQcGgUZ53UU5l8R6iFZoETksZQQeMZhe8j9gYMlrUrcKFE6Y/dd9KSCi1xWCp5Pb8S2RHehawNZZbDZALwXR8XUFxSxjJzplyV9e3BOWhSs34waWctzcgQ22tjcHuwD86XCS5+GEq9jcg5RtXLUl3tcwE5/kRoq75FxKymEsGcFr/zkTwYHj1Vd/pOtxKzK882tp/QY2xwwLwZL8/3k/MyD+vfTJn/+LJY21kMMfcFOiYeoNtjJSECwIsiMUGPOuU8yeWY7hUxXRaKGMtaDLl4x7AL/BqaJt56D4gncB1Br0/A0TJcWIbcRToCCHNtHjIk5Vcg5MzVxoN7culJ7i2oKnHkxvWeZ8DnhvGTq8IbUZXCr09lsrIwqIMaOSoO4jIg5j9Y4EhM0Vndv+MsZgG8gersJ0bdvkLWKyquiYxIa1OAgHwkUc1YNxDO24f1ipNxVnHE+p6ajRZs8jyCZyVGN5aCc2pF9gOX3NZq1ElTMm6N3OldLX7blrnRjTPFk3nUY7iq7RXEPIaNYw/p94tKut8jUr7sSwOkAgistCc3uGIUONtZ1HBGnTCXR7w1bEjdy', 'SobhorC+zh6T8g0QmTis74cZUXzTGv8Kr0KaTC0Bhil75w9UtQyIeyxINAlF+0JJpYCqWqH23bPNer+4phR4ilPHWHsajjGNb3KIIm8fUU0aCNcfMuzsQKBiCvqJ7pfPno5sMuEFggMmMe+9SKv2UD+vacOPRJ9/3ExnTEH9J5woy1zO/5dOTGns/SYsIHI3BTTiiXuyGHKCCwtQDeBOyUd/JTYYEMpmiFT+XICJbXkrECAVQ5EESwFI6g3guC8AMIZMN0FuIJ9XJQkn3fM8vJKLB4gMT5g2pgYcOcHUJWU=', 'nU2RVe+a+JNyRZ0kkgA0JG/VT0ga++Ax+UocVa2vDw/L36A0eoQcjjAocH9Pgquq9oXyFg/3Ci6hQuPDnORoaA==', 'nvp3ctvHs3A7rxsqSx8wu1sCh6h356TtfKXGnuMB5d5rbYiPP/Y/PB3egTFwEVsHYKirpv98e/Yw3JzIH29Y3w==', '/1b94d2H3dUD/r15ceCDjsrNq/uvRsU1puTernUezQuuc9JdKzLiQtrTfDbXltq3SvvfnM1itQd8Ef7fVHO37A==', 'Q9qWR8GyJqWiHaI0t1nxnix+r+YHfGzrqDGuAVv9mTJxCrtLtmEynSs3Hs/Bu/PJ/3zxkSwdymgUwbmRhr3IOQ==' |
Source: xXQ39a5f9EJP.exe, NormalStartup.cs |
Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==' |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, HandleNormalStartup.cs |
Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==' |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, HandleNormalStartup.cs |
Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==' |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: xXQ39a5f9EJP.exe, Methods.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: xXQ39a5f9EJP.exe, Methods.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, Methods.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, Methods.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Methods.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Methods.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: devenum.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Section loaded: msdmo.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: cmdext.dll |
Jump to behavior |
Source: C:\Windows\System32\timeout.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: xXQ39a5f9EJP.exe, AntiProcess.cs |
Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId) |
Source: xXQ39a5f9EJP.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: xXQ39a5f9EJP.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: xXQ39a5f9EJP.exe, Amsi.cs |
Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _) |