Source: C:\Windows\System32\drivers\QAssist.sys | Avira: detection malicious, Label: RKIT/Agent.ccibt |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Avira: detection malicious, Label: TR/Crypt.XPACK.Gen |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | ReversingLabs: Detection: 76% |
Source: C:\Windows\System32\drivers\QAssist.sys | ReversingLabs: Detection: 46% |
Source: OII9x4FeW7.exe | Virustotal: Detection: 73% | Perma Link |
Source: OII9x4FeW7.exe | ReversingLabs: Detection: 76% |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Joe Sandbox ML: detected |
Source: OII9x4FeW7.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: | Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr |
Source: | Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 |
Source: global traffic | TCP traffic: 192.168.2.5:49708 -> 58.218.67.253:281 |
Source: unknown | DNS traffic detected: queries for: s2010218.f3322.net |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | String found in binary or memory: http://ptlogin2.qun.qq.com%s |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | String found in binary or memory: http://qun.qq.com%s |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | String found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | String found in binary or memory: https://ssl.ptlogin2.qq.com%s |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | String found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_ |
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth |
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Mimikatz strings Author: Florian Roth |
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth |
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Mimikatz strings Author: Florian Roth |
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth |
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Mimikatz strings Author: Florian Roth |
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth |
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Mimikatz strings Author: Florian Roth |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File created: C:\Windows\system32\drivers\QAssist.sys | Jump to behavior |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File created: C:\Windows\system32\drivers\QAssist.sys | Jump to behavior |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File created: C:\Windows\system32\drivers\QAssist.sys | Jump to behavior |
Source: Joe Sandbox View | Dropped File: C:\Windows\System32\drivers\QAssist.sys 6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Process token adjusted: Load Driver |
Source: OII9x4FeW7.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: OII9x4FeW7.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Ogxog.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Ogxog.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs OII9x4FeW7.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.246831697.00000000007A0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OII9x4FeW7.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247283379.0000000002500000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs OII9x4FeW7.exe |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\QAssist |
Source: OII9x4FeW7.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE | Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE | Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE | Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE | Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE | Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE | Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE | Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE | Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = https://creativecommons.org/licenses/by-nc/4.0/, score = |
Source: QAssist.sys.2.dr | Binary string: \Device\QAssist\DosDevices\QAssist |
Source: QAssist.sys.2.dr | Binary string: \Device\ |
Source: classification engine | Classification label: mal100.troj.adwa.evad.winEXE@8/4@3/2 |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\87S2tba0tb7QCLOztLTQEAn6pg== |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01 |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: OII9x4FeW7.exe | Virustotal: Detection: 73% |
Source: OII9x4FeW7.exe | ReversingLabs: Detection: 76% |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File read: C:\Users\user\Desktop\OII9x4FeW7.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\OII9x4FeW7.exe 'C:\Users\user\Desktop\OII9x4FeW7.exe' |
Source: unknown | Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe' |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe' |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Source: | Binary string: F:\hidden-master\x64\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, QAssist.sys.2.dr |
Source: | Binary string: F:\hidden-master\Debug\QAssist.pdb source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: initial sample | Static PE information: section where entry point is pointing to: .data |
Source: Ogxog.exe.1.dr | Static PE information: real checksum: 0x6fb56 should be: 0x66380 |
Source: OII9x4FeW7.exe | Static PE information: real checksum: 0x6fb56 should be: 0x66380 |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Code function: 1_2_0045E860 push eax; ret |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Code function: 2_2_0045E860 push eax; ret |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File created: C:\Windows\system32\drivers\QAssist.sys | Jump to behavior |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Jump to dropped file |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File created: C:\Windows\System32\drivers\QAssist.sys | Jump to dropped file |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Jump to dropped file |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | File created: C:\Windows\System32\drivers\QAssist.sys | Jump to dropped file |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA | Jump to behavior |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist | Jump to behavior |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe\:Zone.Identifier:$DATA | Jump to behavior |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Process information set: NOOPENFILEERRORBOX |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Window / User API: threadDelayed 509 |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Window / User API: threadDelayed 407 |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Dropped PE file which has not been started: C:\Windows\System32\drivers\QAssist.sys | Jump to dropped file |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236 | Thread sleep count: 509 > 30 |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236 | Thread sleep time: -30540000s >= -30000s |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6192 | Thread sleep count: 407 > 30 |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe TID: 6236 | Thread sleep time: -60000s >= -30000s |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Last function: Thread delayed |
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Code function: 1_2_0045F704 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Ogxog.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ogxog.exe' |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\OII9X4~1.EXE > nul |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: Progman |
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: Ogxog.exe, 00000002.00000002.512918682.0000000000D10000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: Shell_TrayWndProgman%s.exeBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilegeCreateEventACloseHandleWaitForSingleObject |
Source: C:\Users\user\Desktop\OII9x4FeW7.exe | Code function: 1_2_0045C790 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: acs.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: vsserv.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: avcenter.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: kxetray.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: avp.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: cfp.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: KSafeTray.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: rtvscan.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: 360tray.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: ashDisp.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: TMBMSRV.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: avgwdsvc.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: AYAgent.aye |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: QUHLPSVC.EXE |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: RavMonD.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: Mcshield.exe |
Source: OII9x4FeW7.exe, 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, Ogxog.exe, 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp | Binary or memory string: K7TSecurity.exe |
Source: Yara match | File source: 00000002.00000002.514979015.0000000010100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.247680497.0000000010100000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: OII9x4FeW7.exe PID: 3604, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Ogxog.exe PID: 6188, type: MEMORY |
Source: Yara match | File source: 1.2.OII9x4FeW7.exe.10101928.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.Ogxog.exe.10101928.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.OII9x4FeW7.exe.10110f70.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.Ogxog.exe.10110f70.5.raw.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.